It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Vulnerability - Expression Language Injection: Spring CVE-2017-8046 Edited

During security scanning of our environment following Vulnerability found in Jira Data Center version 7.10.12.

During brief search on internet found that this is related to Spring Data Rest Library version. 

Any help will be appreciated in resolving or overcoming this CVE.


Spring Data REST provides REST web services on top of Spring Data repositories, exposing data structures representing the application model. A Spring Expression Language injection vulnerability identified by CVE-2017-8046 allows remote attackers to achieve remote code execution (RCE) in applications exposing Spring Data REST endpoints. This RCE can be exploited by attackers to invoke arbitrary java commands (e.g. java.lang.Runtime).getRuntime().exec()) which can facilitate arbitrary command execution. The vulnerability is manifested in applications using Spring Data REST library 2.6.8 and earlier.


Scanning Details with 

Expression Language Injection: Spring ( 11579 ) View Description

CWE: 94,95

Kingdom: Input Validation and Representation


Page: https://<<JIra-URL>>:443/browse/DCL-429


PATCH /browse/DCL-429 HTTP/1.1
Referer: https://<<JIra-URL>>/browse/DCL-2
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: <<JIRA-URL>>
Content-Type: application/json-patch+json
Connection: Keep-Alive
Content-Length: 85
X-WIPP: AscVersion=
X-Scan-Memo: Category="Audit.Attack"; SID="9F705117AF15BD0C9033A9C5A9394EB1";
PSID="35B57D1E4592584348C3E9FF65A68363"; SessionType="AuditAttack"; CrawlType="None";
AttackType="Other"; OriginatingEngineID="10a0aa96-8371-4433-b206-6660f3859642";
AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0";
CheckId="11579"; Engine="Spring+DATARESTEL+Injection"; SmartMode="NonServerSpecificOnly";
ThreadId="1519"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: RequestorThreadIndex="0"; sid="175024"; smi="0"; sc="1"; ID="61195b39-
X-Request-Memo: ID="e84556ea-9117-42e7-8ecc-d5fc4e136600"; sc="1"; ThreadId="1519";
Cookie: CustomCookie=WebInspect0


HTTP/1.1 403
Date: Wed, 19 Dec 2018 13:42:52 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Server: Apache
X-AREQUESTID: 822x962139x1
X-ANODEID: node2
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' *.<<AWS-Domain>>; script-src 'self' *.<<AWS-Domain>> 'unsafeinline'
'unsafe-eval'; style-src 'self' *.<<AWS-Domain>> 'unsafe-inline'; img-src 'self' *.<<AWS-Domain>>
data:; connect-src 'self' *.<<AWS-Domain>>; font-src 'self' *.<<AWS-Domain>>; object-src 'self'
*.<<AWS-Domain>>; media-src 'self' *.<<AWS-Domain>>; frame-src 'self' *.<<AWS-Domain>>; child-src 'self'
*.<<AWS-Domain>>; form-action 'self' *.<<AWS-Domain>>;
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
WWW-Authenticate: OAuth realm="https%3A%2F%2Fgbs-<<JIRA-URL>>"
jXir-aA.uusthdecnatgic.aawtiosn.r-aDye.cnoiemd/-lRogeians.josnp: CAPTCHA_CHALLENGE; login-url=https://<<JIra-URL>>/login.jsp
Content-Length: 18233
n8ppKv7RAV0uQzyX4OXgLBVVAzAT8E00HDQmzEBLqFzbcxaWzC0; Expires=Wed, 26 Dec 2018
13:42:52 GMT; Path=/
PNBL5lHf+2nwdOpsaZ9ndAouXkAP6RjUp3TKLfj4KQ==; Expires=Wed, 26 Dec 2018 13:42:52 GMT;

1 answer

0 votes

We have had other users log support requests to investigate this specific CVE.  However our security team has found that Atlassian products such as Jira Cloud, Jira Server, and Jira Data Center are not actually affected by this because we are not using the Spring REST Data library in our products.

As such I believe this is likely a false positive of the scan.  Jira does have REST endpoints that can be accessed, but in this case I don't believe this CVE applies because Jira is not using the libraries that are affected by this.

Please let me know if you have any additional concerns.


Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published Feb 26, 2019 in Jira Software

How to prevent the propagation of unused project schemes, workflows & screens in Jira software

Atlassian ranks project attributes as the third most important factor impacting performance in the category of data. It’s not surprising, since project attributes are precisely the rules used to ma...

1,088 views 1 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you