CVE-2022-22965

Spring Framework JDK 9+ Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

94.5%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Una aplicación Spring MVC o Spring WebFlux que es ejecutada en JDK 9+ puede ser vulnerable a la ejecución de código remota (RCE) por medio de una vinculación de datos. La explotación específica requiere que la aplicación sea ejecutada en Tomcat como un despliegue WAR. Si la aplicación es desplegada como un jar ejecutable de Spring Boot, es decir, por defecto, no es vulnerable a la explotación. Sin embargo, la naturaleza de la vulnerabilidad es más general, y puede haber otras formas de explotarla

A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and business optimization for solving planning problems. It automates business decisions and makes that logic available to the entire business. This asynchronous security patch is an update to Red Hat Decision Manager 7. Issues addressed include a code execution vulnerability.

Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-04-01 CVE Published
2022-04-01 First Exploit
2022-04-04 Exploited in Wild
2022-04-25 KEV Due Date
2025-01-29 CVE Updated
2025-04-17 EPSS Updated

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (94)

URL	Tag	Source
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Rem...	Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://github.com/spring-projects/spring-framework/issues/28261

1 - 5 of 5

URL	Date	SRC
https://packetstorm.news/files/id/167011	2022-05-10
https://packetstorm.news/files/id/166713	2022-04-13
https://github.com/alt3kx/CVE-2022-22965	2022-04-07
https://github.com/zangcc/CVE-2022-22965-rexbb	2023-11-14
https://github.com/Kirill89/CVE-2022-22965-PoC	2022-04-01
https://github.com/tangxiaofeng7/CVE-2022-22965-Spring-Cor...	2022-04-01
https://github.com/p1ckzi/CVE-2022-22965	2022-06-30
https://github.com/me2nuk/CVE-2022-22965	2022-04-04
https://github.com/light-Life/CVE-2022-22965-GUItools	2022-04-02
https://github.com/viniciuspereiras/CVE-2022-22965-poc	2023-11-29

1 - 10 of 82

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-254054...	2023-02-09
https://www.oracle.com/security-alerts/cpujul2022.html	2023-02-09

1 - 2 of 2

URL	Date	SRC
https://tanzu.vmware.com/security/cve-2022-22965	2022-03-31
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-...	2023-02-09
https://access.redhat.com/security/cve/CVE-2022-22965	2022-04-27
https://bugzilla.redhat.com/show_bug.cgi?id=2070348	2022-04-27
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003	2022-04-27

1 - 5 of 5

Affected Vendors, Products, and Versions (97)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Spring Framework Search vendor "Vmware" for product "Spring Framework"				< 5.2.20 Search vendor "Vmware" for product "Spring Framework" and version " < 5.2.20"		-		Affected
Vmware Search vendor "Vmware"		Spring Framework Search vendor "Vmware" for product "Spring Framework"				>= 5.3.0 < 5.3.18 Search vendor "Vmware" for product "Spring Framework" and version " >= 5.3.0 < 5.3.18"		-		Affected
Cisco Search vendor "Cisco"		Cx Cloud Agent Search vendor "Cisco" for product "Cx Cloud Agent"				< 2.1.0 Search vendor "Cisco" for product "Cx Cloud Agent" and version " < 2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Exposure Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "22.1.0"		-		Affected

1 - 10 of 97