Vulnerability Details : CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Vulnerability category: Execute code
Published 2022-04-01 23:15:14
Updated 2023-02-09 02:07:02
Source VMware
View at NVD,
At least one public exploit which can be used to exploit this vulnerability exists!
CVE-2022-22965 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Spring Framework JDK 9+ Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Added on 2022-04-04 Action due date 2022-04-25

Exploit prediction scoring system (EPSS) score for CVE-2022-22965

Probability of exploitation activity in the next 30 days: 97.48%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2022-22965

  • Spring Framework Class property RCE (Spring4Shell)
    Disclosure Date : 2022-03-31
    Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution. Authors: - vleminator <[email protected]>

CVSS scores for CVE-2022-22965

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
[email protected]
[email protected]

CWE ids for CVE-2022-22965

References for CVE-2022-22965

Products affected by CVE-2022-22965

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!