You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files (e.g .jsp files) to a location that can be loaded by the application server.
Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs.
CVE | 2022-22965
CVSS score | 7.5
Vulnerability present in version/s | 3.0.0.RC1-5.2.19.RELEASE
Found library version/s | 5.2.7.RELEASE
Vulnerability fixed in version | 5.2.20.RELEASE
Library latest version | 6.0.8
Fix | There are suggested workarounds if upgrade is not possible. Refer to the following blog post:
Veracode Software Composition Analysis
Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs.
CVE | 2022-22965
CVSS score | 7.5
Vulnerability present in version/s | 3.0.0.RC1-5.2.19.RELEASE
Found library version/s | 5.2.7.RELEASE
Vulnerability fixed in version | 5.2.20.RELEASE
Library latest version | 6.0.8
Fix | There are suggested workarounds if upgrade is not possible. Refer to the following blog post:
Links:
The text was updated successfully, but these errors were encountered: