← Retour aux CVEs
CVE-2022-22965
CRITICALCISA KEV9.8
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/1/2022
Derniere modification10/30/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurVMware
ProduitSpring Framework
Nom vulnerabiliteSpring Framework JDK 9+ Remote Code Execution Vulnerability
Date ajout KEV2022-04-04
Date limite remediation2022-04-25
Utilise dans ransomwareUnknown
Produits affectes
cisco:cx_cloud_agentoracle:commerce_platformoracle:communications_cloud_native_core_automated_test_suiteoracle:communications_cloud_native_core_binding_support_functionoracle:communications_cloud_native_core_consoleoracle:communications_cloud_native_core_network_exposure_functionoracle:communications_cloud_native_core_network_function_cloud_native_environmentoracle:communications_cloud_native_core_network_repository_functionoracle:communications_cloud_native_core_network_slice_selection_functionoracle:communications_cloud_native_core_policyoracle:communications_cloud_native_core_security_edge_protection_proxyoracle:communications_cloud_native_core_unified_data_repositoryoracle:communications_policy_managementoracle:communications_unified_inventory_managementoracle:financial_services_analytical_applications_infrastructureoracle:financial_services_behavior_detection_platformoracle:financial_services_enterprise_case_managementoracle:jdkoracle:mysql_enterprise_monitororacle:product_lifecycle_analyticsoracle:retail_bulk_data_integrationoracle:retail_customer_management_and_segmentation_foundationoracle:retail_financial_integrationoracle:retail_integration_busoracle:retail_merchandising_systemoracle:retail_xstore_point_of_serviceoracle:sd-wan_edgeoracle:weblogic_serversiemens:operation_schedulersiemens:simatic_speech_assistant_for_machinessiemens:sinec_network_management_systemsiemens:sipass_integratedsiemens:siveillance_identityveritas:access_applianceveritas:flex_applianceveritas:netbackup_applianceveritas:netbackup_flex_scale_applianceveritas:netbackup_virtual_appliancevmware:spring_framework
Faiblesses (CWE)
CWE-94CWE-94
References
http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html(security@vmware.com)
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html(security@vmware.com)
https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf(security@vmware.com)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005(security@vmware.com)
https://tanzu.vmware.com/security/cve-2022-22965(security@vmware.com)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67(security@vmware.com)
https://www.oracle.com/security-alerts/cpuapr2022.html(security@vmware.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security@vmware.com)
http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf(af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005(af854a3a-2127-422b-91ae-364da2661108)
https://tanzu.vmware.com/security/cve-2022-22965(af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67(af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/970766(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.