Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-22965

Опубликовано: 01 апр. 2022
Источник: debian
EPSS Критический

Описание

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libspring-javaunfixedpackage

Примечания

  • https://bugalert.org/content/notices/2022-03-30-spring.html

  • https://tanzu.vmware.com/security/cve-2022-22965

  • Only supported for building applications shipped in Debian, see README.Debian.security

EPSS

Процентиль: 100%
0.9446
Критический

Связанные уязвимости

CVSS3: 9.8
ubuntu
больше 3 лет назад

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS3: 8.1
redhat
больше 3 лет назад

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS3: 9.8
nvd
больше 3 лет назад

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS3: 9.8
github
больше 3 лет назад

Remote Code Execution in Spring Framework

CVSS3: 8.8
fstec
больше 3 лет назад

Уязвимость модуля Spring Core программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%
0.9446
Критический