Description

Spring Framework is vulnerable to a ClassLoader Manipulation vulnerability that can be escalated to Remote Code Execution on systems running JDK9+. Spring MVC and Spring WebFlux web applications may be vulnerable. Applications deployed as a Spring Boot executable jar are not vulnerable to the public exploit.

Remediation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.

References

Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring

Spring Core on JDK9+ is vulnerable to remote code execution

Spring Framework RCE, Early Announcement

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Related Vulnerabilities

Code Evaluation (PHP)

Struts 2 development mode

WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)

Spring Data REST RCE via PATCH requests

Sitecore XP Deserialization RCE (CVE-2021-42237)

Severity

Critical

Classification

CVE-2022-22965 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution