CVE-2022-22965: Remote Code Execution in Spring Framework
(updated )
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.
References
- cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- github.com/advisories/GHSA-36p3-wjmg-h94x
- github.com/spring-projects/spring-boot/releases/tag/v2.5.12
- github.com/spring-projects/spring-boot/releases/tag/v2.6.6
- github.com/spring-projects/spring-framework
- github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
- github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE
- github.com/spring-projects/spring-framework/releases/tag/v5.3.18
- nvd.nist.gov/vuln/detail/CVE-2022-22965
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- tanzu.vmware.com/security/cve-2022-22965
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
- www.kb.cert.org/vuls/id/970766
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujul2022.html
Code Behaviors & Features
Detect and mitigate CVE-2022-22965 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →