CVE-2022-22965 Information

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar i.e. the default it is not vulnerable to the exploit. However the nature of the vulnerability is more general and there may be other ways to exploit it.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://tanzu.vmware.com/security/cve-2022-22965 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf https://www.oracle.com/security-alerts/cpuapr2022.html http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8