VDB
CISA-2022-22965
CISA-2022-22965
PUBLISHED
CVSS 9.8 CRITICAL
Reported by vmware · Published April 1, 2022
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Risk Scores
CVSS 3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | Spring Framework | Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions |
| n/a | Spring Framework | Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions, Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions |
Timeline
- Apr 1, 2022 CVE Published
- Oct 21, 2023 PoC Published
- Nov 17, 2024 PoC Published
- Oct 21, 2025 CVE Updated
- Apr 13, 2026 PoC Published
References
- x_refsource_MISC
- 20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022 vendor-advisoryx_refsource_CISCO
- x_refsource_MISC
- x_refsource_CONFIRM
- x_refsource_MISC
- x_refsource_CONFIRM
- x_refsource_MISC
- x_refsource_MISC
- https://www.kb.cert.org/vuls/id/970766 url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965 url