{ "acceptance_criteria": [ "Affected product or dependency presence is confirmed by a human.", "Affected version is confirmed or marked not applicable.", "Official advisory or source reference is reviewed.", "Patch, fixed version, mitigation, workaround, or monitor-only decision is documented.", "Validation steps are proposed without external scanning or production mutation." ], "affected_context": { "component": null, "cpe": [], "ecosystems": [], "product": "spring_boot", "purl": [], "vendor": "vmware", "versions": [ "2.0.0", "3.0.0" ] }, "canonical_signal_url": "https://vuln.signal-radar.com/vuln/public-candidate/CVE-2017-8046/", "cve_id": "CVE-2017-8046", "generated_at": "2026-06-26T22:40:02.296639+00:00", "human_checklist": [ "Confirm whether the listed product or package is present.", "Confirm affected version.", "Review vendor advisory or official source.", "Confirm patch, fixed version, mitigation, workaround, or monitor-only decision.", "Confirm exposure.", "Document remediation status." ], "pack_version": "remediation-handoff/0.1", "redaction_policy": { "exploit_steps_removed": true, "payloads_removed": true, "scanner_instructions_removed": true, "source_published_defensive_context_allowed": true }, "remediation_context": { "fixed_versions": [], "mitigation_notes": [ "Remediation reference present; patch status requires confirmation in the linked advisory.", "Patch status requires confirmation from the linked advisory or official source." ], "patch_status": "requires_confirmation", "recommended_route": "vendor_patch_or_mitigation", "reference_status": "official_reference_present" }, "risk_context": { "cvss_label": "CRITICAL", "cvss_score": 9.8, "epss_percentile": 0.99376, "kev_status": "not_listed", "risk_flags": [ "CVSS CRITICAL", "high EPSS percentile", "official reference present" ], "severity": "CRITICAL" }, "rollback_note": "If remediation work is later performed, define a project-specific rollback plan before changing any production system.", "safe_agent_handoff": { "allowed_actions": [ "summarize vendor guidance", "prepare a defensive remediation plan", "identify affected dependencies only when repo context is separately provided by the user", "suggest tests and validation steps", "document human verification questions" ], "auto_remediation_allowed": false, "disallowed_actions": [ "generate offensive code", "provide payloads", "scan external targets", "change production systems", "merge or deploy changes", "create GitHub issues or pull requests without explicit separate approval" ], "external_execution_allowed": false, "goal": "Prepare a defensive remediation plan for CVE-2017-8046 using only provided public-safe source context and any separate repo context supplied by the user.", "human_approval_required": true, "scan_allowed": false }, "safety_notes": [ "Defensive triage and remediation planning only.", "No offensive procedure, payload material, external target scan, or auto-remediation instruction is included.", "KEV not listed means not listed in the KEV catalog for this record; it does not prove absence of exploitation." ], "source_context": { "references": [ "http://www.securityfocus.com/bid/100948", "https://pivotal.io/security/cve-2017-8046" ], "source_names": [ "NVD", "OSV", "Vendor Advisory" ], "source_published_impact": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.", "source_published_summary": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code." } }