DerScanner
Home / Vulnerability Database / Config files : Spring Framework vulnerability
Config files

Config files : Spring Framework vulnerability

Classification

OWASP Top 10 2017
A8-Insecure Deserialization
OWASP Top 10 2021
A8-Software and Data Integrity Failures
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
CWE
CWE-20CWE-94CWE-502CWE-915
CWE/SANS Top 25 2021
CWE-20CWE-502

Overview

An insecure version of the library from the Spring framework is used, which stores the following vulnerabilities:

  • RCE in Spring Core module (CVE-2022-22965) - Spring4Shell, Spring Framework 5.3.18 and 5.2.20 updates have been released to fix the vulnerability;

  • RCE in the Spring Cloud Function library (CVE-2022-22963) - the vulnerability is relevant for the library version up to 3.2.3;

  • Middle-level vulnerability that can cause a DoS condition (CVE-2022-22950) - affects Spring Framework versions 5.3.0 to 5.3.16.

Spring4Shell is an RCE vulnerability that allows an attacker to remotely execute malicious code. At the moment, it is classified as critical, with a rating of 9.8 according to the CVSS v3.0 system. The vulnerability affects Spring MVC and Spring WebFlux applications running Java Development Kit version 9 or later.

References

  1. CVE-2022-22965
  2. Spring4Shell
  3. Spring Framework RCE
CRITICAL

DerScanner Severity Score

Do you want to fix Config files : Spring Framework vulnerability in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection