Details
Alert ID 40045
Alert Type Active
Status release
Risk High
CWE 78
WASC 20
Technologies Targeted Language / Java
Language / Java / Spring
Tags CVE-2022-22965
CWE-78
OWASP_2017_A01
OWASP_2017_A09
OWASP_2021_A03
OWASP_2021_A06
POLICY_QA_FULL
WSTG-V42-INPV-12
More Info Scan Rule Help

Summary

The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.

Solution

Upgrade Spring Framework to versions 5.3.18, 5.2.20, or newer.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java