Vulnerability

VU#970766: Spring Framework insecurely handles PropertyDescriptor objects with data binding

July 1, 2022

Overview

The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.

Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.

NCSC-NL has a list of products and their statuses with respect to this vulnerability.

Impact

By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.

Solution

Apply an update

This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.

Acknowledgements

This issue was publicly disclosed by heige.

This document was written by Will Dormann

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

References

https://tanzu.vmware.com/security/cve-2022-22965

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md

Other Information

CVE IDs:

CVE-2022-22965

Date Public:

2022-03-30
Date First Published:
2022-03-31
Date Last Updated:
2022-05-19 16:09 UTC
Document Revision:
22

About vulnerability notes
Contact us about this vulnerability
Provide a vendor statement
Related Posts
Clear Filters
VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption on 28/02/2023 at 5:37 pm
VULNERABILITIES
VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption on 28/02/2023 at 5:37 pm
Vulnerability
VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption on 28/02/2023 at 5:37 pm

Overview Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level…

Read More
VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations on 08/11/2022 at 5:02 pm
VULNERABILITIES
VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations on 08/11/2022 at 5:02 pm
Vulnerability
VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations on 08/11/2022 at 5:02 pm

Overview Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an…

Read More
Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required