A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Published 2022-04-01 23:15:14
Updated 2024-10-18 19:52:03
Source VMware
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2022-22965

CVE-2022-22965 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Spring Framework JDK 9+ Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Added on 2022-04-04 Action due date 2022-04-25

Exploit prediction scoring system (EPSS) score for CVE-2022-22965

97.50%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-22965

  • Spring Framework Class property RCE (Spring4Shell)
    Disclosure Date: 2022-03-31
    First seen: 2022-12-23
    exploit/multi/http/spring_framework_rce_spring4shell
    Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data bindi

CVSS scores for CVE-2022-22965

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2022-22965

  • The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security@vmware.com (Secondary)

References for CVE-2022-22965

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!