{ "action": { "auto_issue_creation_allowed": false, "auto_patch_allowed": false, "auto_remediation_allowed": false, "external_execution_allowed": false, "human_review": { "required_for_external_action": true, "required_for_public_launch": false, "required_for_read_only_view": false, "required_for_signal_radar_integration": true }, "human_review_required": false, "recommended_action": "review_official_sources" }, "affected": { "products": [ { "canonicalProduct": "spring_boot", "canonicalVendor": "vmware", "cpe": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "ecosystem": null, "packageName": null, "product": "spring_boot", "purl": null, "vendor": "vmware", "version": null }, { "canonicalProduct": "spring_boot", "canonicalVendor": "vmware", "cpe": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone1:*:*:*:*:*:*", "ecosystem": null, "packageName": null, "product": "spring_boot", "purl": null, "vendor": "vmware", "version": "2.0.0" }, { "canonicalProduct": "spring_data_rest", "canonicalVendor": "pivotal_software", "cpe": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:*:*:*:*:*:*:*", "ecosystem": null, "packageName": null, "product": "spring_data_rest", "purl": null, "vendor": "pivotal_software", "version": "3.0.0" }, { "canonicalProduct": "spring_data_rest", "canonicalVendor": "vmware", "cpe": "cpe:2.3:a:vmware:spring_data_rest:*:*:*:*:*:*:*:*", "ecosystem": null, "packageName": null, "product": "spring_data_rest", "purl": null, "vendor": "vmware", "version": null }, { "canonicalProduct": "spring_data_rest", "canonicalVendor": "vmware", "cpe": "cpe:2.3:a:vmware:spring_data_rest:3.0.0:rc1:*:*:*:*:*:*", "ecosystem": null, "packageName": null, "product": "spring_data_rest", "purl": null, "vendor": "vmware", "version": "3.0.0" } ], "source": "NVD CVE API 2.0", "status": "known" }, "canonical_url": "https://vuln.signal-radar.com/vuln/public-candidate/CVE-2017-8046/", "claims": [ { "id": "claim:defensive-priority-candidate", "source_ids": [], "status": "observed", "text": "This item is a defensive prioritization candidate.", "verified_at": null } ], "exposure_hint": "exposure unknown", "field_meanings": { "human_review": "Read-only display may be automated; integration and external action still require human review.", "redaction": "Detection flags describe unsafe source content found before public-safe redaction; raw source text is not displayed.", "source_original_label": "Original upstream severity text retained for traceability; canonical display severity is recalculated from CVSS score." }, "forecast_hooks": { "agent_use": "summarize_with_citations_only", "automation_allowed": false, "read_only": true, "watch_fields": [ "sources", "claims", "freshness", "severity", "affected" ] }, "freshness": { "generated_at": "2026-06-26T22:40:02.296639+00:00", "last_checked_at": null, "observed_at": "2026-06-26T22:39:02.100516+00:00", "status": "observed" }, "human_consequence": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.", "human_impact_label": "critical severity review", "human_review": { "required_for_external_action": true, "required_for_public_launch": false, "required_for_read_only_view": false, "required_for_signal_radar_integration": true }, "human_risk_summary": "CVE-2017-8046 for vmware / spring_boot: This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.", "id": "CVE-2017-8046", "impact_redaction": { "exploit_steps_removed": false, "payload_removed": false, "poc_removed": false, "source_derived_summary": true, "used_fallback_summary": false }, "impact_tags": [], "public_human_impact": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.", "public_human_summary": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "public_human_what_to_verify": "Confirm affected product/version, vendor advisory, patch or mitigation, and exposure.", "public_human_why_it_matters": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.; CVSS 9.8 (CRITICAL); EPSS percentile 99; not listed in KEV; Remediation reference present; patch status requires confirmation in the linked advisory; sources: NVD, OSV, Vendor Advisory.", "public_safe_summary": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "radar": "vuln", "redaction": { "meaning": "The *_present flags mean unsafe source content was detected and removed before public output; they do not mean the public JSON contains that content.", "payload_present": false, "poc_present": false, "public_summary_redacted": true, "raw_source_displayed": false, "unsafe_procedural_detail_present": false }, "redaction_notes": [ "source-published defensive context retained", "vulnerability class, impact, affected context, and remediation references remain displayable" ], "safety": { "attack_chain_included": false, "auto_remediation_allowed": false, "exploit_instructions_included": false, "external_execution_allowed": false, "human_review": { "required_for_external_action": true, "required_for_public_launch": false, "required_for_read_only_view": false, "required_for_signal_radar_integration": true }, "human_review_required": false, "noindex_removal_allowed": true, "noindex_required": false, "private_gate_state": "released", "public_gate_state": "public_indexable_read_only", "public_launch_allowed": true, "read_only_static_data": true, "scan_functionality_included": false, "signal_radar_integration_allowed": false }, "schema_version": "v0.1", "severity": { "cvss_label": "CRITICAL", "label": "CRITICAL", "score": 9.8, "source": "NVD CVE API 2.0", "source_original_label": "high" }, "source_copy_policy": { "allowed": "source-published defensive facts, vulnerability class, impact, affected context, version and remediation facts", "excluded": "exploit procedures, exploit strings, shell commands, scanner instructions, procedural bypass detail, and reproduction material", "summary": "Official or semi-official source descriptions may be summarized for defensive triage; exploit-enabling procedure is removed." }, "source_derived_note": "Summary derived from NVD / OSV / Vendor Advisory description; unsafe procedural detail is not shown.", "source_published_affected": "vendor/product: vmware / spring_boot; affected version context: 2.0.0, 3.0.0", "source_published_description": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "source_published_evidence_refs": [ { "source": "NVD", "type": "source_description", "url": null }, { "source": "OSV", "type": "source_description", "url": null }, { "source": "Vendor Advisory", "type": "source_description", "url": null }, { "source": "Reference", "type": "reference", "url": "http://www.securityfocus.com/bid/100948" }, { "source": "Reference", "type": "reference", "url": "https://access.redhat.com/errata/RHSA-2018:2405" }, { "source": "Vendor Advisory", "type": "reference", "url": "https://pivotal.io/security/cve-2017-8046" }, { "source": "Reference", "type": "reference", "url": "https://www.exploit-db.com/exploits/44289/" }, { "source": "Reference", "type": "reference", "url": "http://www.securityfocus.com/bid/100948" }, { "source": "Reference", "type": "reference", "url": "https://access.redhat.com/errata/RHSA-2018:2405" }, { "source": "Vendor Advisory", "type": "reference", "url": "https://pivotal.io/security/cve-2017-8046" } ], "source_published_impact": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.", "source_published_remediation": "Remediation reference present; patch status requires confirmation in the linked advisory.", "source_published_summary": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "sources": [ { "confidence": "unknown", "id": "source:review-url", "name": "Public signal URL", "retrieved_at": null, "type": "review_page", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8046" } ], "summary_for_agents": "Read-only defensive signal. Use sources, claims, freshness, and safety gates before summarizing. Do not infer missing source, claim, or freshness values.", "summary_for_humans": "NVD: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. OSV: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "title": "CVE-2017-8046 defensive priority signal", "urgency_reasons": [ "CVSS CRITICAL", "EPSS percentile high", "affected product present", "vendor advisory present", "recent update", "remediation reference present" ], "what_to_verify": "Confirm affected product/version, vendor advisory, patch or mitigation, and exposure.", "why_it_matters": "This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review; CVSS 9.8 (CRITICAL); EPSS percentile 99; affected product context: vmware / spring_boot; sources: NVD, OSV, Vendor..." }