Current Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Severity
CVSS Version 3.xCVSS Version 2.0
CVSS 3.x Severity and Metrics:
NIST: NVDBase Score:9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.
Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving the NIST webspace. We have provided these links to other websites because they may have information that would interest you. No inferences should be drawn on account of other sites being referenced or not from this page. There may be other websites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products mentioned on these sites. Please address comments about this page to [email protected].
| Hyperlink | Resource |
|---|---|
| https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 | Third Party Advisory |
| https://tanzu.vmware.com/security/cve-2022-22965 | Mitigation Vendor Advisory |
| https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 | Third-Party Advisory |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | NIST  VMware |
Known Affected Software Configurations Switch to CPE 2.2
Configuration 1 ( hide )
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including) 5.2.0 | Up to (excluding) 5.2.20 |
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including) 5.3.0 | Up to (excluding) 5.3.18 |
Configuration 2 ( hide )
| cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:* Show Matching CPE(s) | Up to (excluding) 2.1.0 |
Source: CVE – CVE-2022-22965 (mitre.org)