← Volver a CVEs
CVE-2022-22963
CRITICALCISA KEV9.8
Descripcion
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado4/1/2022
Ultima modificacion10/30/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedorVMware Tanzu
ProductoSpring Cloud
Nombre vulnerabilidadVMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
Fecha inclusion KEV2022-08-25
Fecha limite remediacion2022-09-15
Uso en ransomwareUnknown
Productos afectados
oracle:banking_branchoracle:banking_cash_managementoracle:banking_corporate_lending_process_managementoracle:banking_credit_facilities_process_managementoracle:banking_electronic_data_exchange_for_corporatesoracle:banking_liquidity_managementoracle:banking_originationoracle:banking_supply_chain_financeoracle:banking_trade_finance_process_managementoracle:banking_virtual_account_managementoracle:communications_cloud_native_core_automated_test_suiteoracle:communications_cloud_native_core_consoleoracle:communications_cloud_native_core_network_exposure_functionoracle:communications_cloud_native_core_network_function_cloud_native_environmentoracle:communications_cloud_native_core_network_repository_functionoracle:communications_cloud_native_core_network_slice_selection_functionoracle:communications_cloud_native_core_policyoracle:communications_cloud_native_core_security_edge_protection_proxyoracle:communications_cloud_native_core_unified_data_repositoryoracle:communications_communications_policy_managementoracle:financial_services_analytical_applications_infrastructureoracle:financial_services_behavior_detection_platformoracle:financial_services_enterprise_case_managementoracle:mysql_enterprise_monitororacle:product_lifecycle_analyticsoracle:retail_xstore_point_of_serviceoracle:sd-wan_edgevmware:spring_cloud_function
Debilidades (CWE)
CWE-94CWE-917
Referencias
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html(security@vmware.com)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005(security@vmware.com)
https://tanzu.vmware.com/security/cve-2022-22963(security@vmware.com)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH(security@vmware.com)
https://www.oracle.com/security-alerts/cpuapr2022.html(security@vmware.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security@vmware.com)
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005(af854a3a-2127-422b-91ae-364da2661108)
https://tanzu.vmware.com/security/cve-2022-22963(af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.