Executive Summary
| Summary | |
|---|---|
| Title | Spring Framework insecurely handles PropertyDescriptor objects with data binding |
| Informations | |||
|---|---|---|---|
| Name | VU#970766 | First vendor Publication | 2022-03-31 |
| Vendor | VU-CERT | Last vendor Modification | 2022-05-19 |
| Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
|---|---|---|---|
| Overall CVSS Score | 9.8 | ||
| Base Score | 9.8 | Environmental Score | 9.8 |
| impact SubScore | 5.9 | Temporal Score | 9.8 |
| Exploitabality Sub Score | 3.9 | ||
| Attack Vector | Network | Attack Complexity | Low |
| Privileges Required | None | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | High | Availability Impact | High |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
OverviewThe Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. DescriptionThe Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code. Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available. NCSC-NL has a list of products and their statuses with respect to this vulnerability. ImpactBy providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication. SolutionApply an updateThis issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details. AcknowledgementsThis issue was publicly disclosed by heige. This document was written by Will Dormann |
Original Source
| Url : https://kb.cert.org/vuls/id/970766 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
CPE : Common Platform Enumeration
SAINT Exploits
| Description | Link |
|---|---|
| Spring Framework Data Binding vulnerability | More info here |
Alert History
| Date | Informations |
|---|---|
| 2022-10-05 02:19:02 |
|
| 2022-10-05 00:34:46 |
|
| 2022-10-05 00:22:01 |
|
| 2022-05-20 00:36:04 |
|
| 2022-05-19 21:34:48 |
|
| 2022-05-19 21:21:59 |
|
| 2022-04-28 02:12:56 |
|
| 2022-04-28 00:31:49 |
|
| 2022-04-28 00:17:46 |
|
| 2022-04-20 21:30:15 |
|
| 2022-04-20 17:30:11 |
|
| 2022-04-20 17:17:43 |
|
| 2022-04-14 00:29:44 |
|
| 2022-04-13 21:30:07 |
|
| 2022-04-13 21:17:42 |
|
| 2022-04-12 21:28:50 |
|
| 2022-04-12 17:29:53 |
|
| 2022-04-12 17:17:46 |
|
| 2022-04-11 21:30:09 |
|
| 2022-04-11 17:29:44 |
|
| 2022-04-11 17:17:42 |
|
| 2022-04-09 02:12:26 |
|
| 2022-04-09 00:30:16 |
|
| 2022-04-09 00:17:43 |
|
| 2022-04-08 21:30:18 |
|
| 2022-04-07 05:29:53 |
|
| 2022-04-07 05:17:41 |
|
| 2022-04-06 21:30:05 |
|
| 2022-04-06 21:17:42 |
|
| 2022-04-05 17:29:46 |
|
| 2022-04-05 17:17:42 |
|
| 2022-04-05 05:29:43 |
|
| 2022-04-05 05:17:42 |
|
| 2022-04-04 05:29:34 |
|
| 2022-04-04 05:17:39 |
|
| 2022-04-03 05:29:46 |
|
| 2022-04-03 05:17:41 |
|
| 2022-04-03 00:29:47 |
|
| 2022-04-03 00:17:40 |
|
| 2022-04-01 21:17:40 |
|
| 2022-03-31 17:17:41 |
|
