CVE-2022-22965

Опубликовано: 01 апр. 2022

Источник: ubuntu

Приоритет: high

EPSS Критический

CVSS2: 7.5

CVSS3: 9.8

Описание

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needs-triage
devel	released	4.3.30-2ubuntu1
esm-apps/bionic	released	4.3.22-1~18.04.1~esm1
esm-apps/focal	released	4.3.22-4ubuntu0.1~esm1
esm-apps/jammy	released	4.3.30-1ubuntu0.1~esm1
esm-apps/noble	released	4.3.30-2ubuntu0.24.04.1~esm1
esm-apps/xenial	not-affected	only builds using jdk 9+ are affected
esm-infra-legacy/trusty	not-affected	only builds using jdk 9+ are affected
focal	ignored	end of standard support, was needed
impish	ignored	end of life

Показывать по

Ссылки на источники

EPSS

Процентиль: 100%

0.9446

Критический

7.5 High

CVSS2

9.8 Critical

CVSS3

Связанные уязвимости

CVE-2022-22965

CVSS3: 8.1

redhat

около 3 лет назад

CVE-2022-22965

CVSS3: 9.8

nvd

около 3 лет назад

CVE-2022-22965

CVSS3: 9.8

debian

около 3 лет назад

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...

GHSA-36p3-wjmg-h94x

CVSS3: 9.8

github

около 3 лет назад

Remote Code Execution in Spring Framework

BDU:2022-01631

CVSS3: 8.8

fstec

около 3 лет назад

Уязвимость модуля Spring Core программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%

0.9446

Критический

7.5 High

CVSS2

9.8 Critical

CVSS3

CVE-2022-22965

Описание

Пакет libspring-java

Ссылки на источники

Связанные уязвимости