Details | |
---|---|
Alert ID | 40045 |
Alert Type | Active |
Status | release |
Risk | High |
CWE | 78 |
WASC | 20 |
Technologies Targeted |
Language / Java Language / Java / Spring |
Tags |
CVE-2022-22965 CWE-78 OWASP_2017_A01 OWASP_2017_A09 OWASP_2021_A03 OWASP_2021_A06 POLICY_QA_FULL WSTG-V42-INPV-12 |
More Info |
Scan Rule Help |
Summary
The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.
Solution
Upgrade Spring Framework to versions 5.3.18, 5.2.20, or newer.Other Info
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-22965
- https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability
- https://tanzu.vmware.com/security/cve-2022-22965