VDB

CISA-2022-22965

CISA-2022-22965 PUBLISHED CVSS 9.8 CRITICAL

Reported by vmware · Published April 1, 2022

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Risk Scores

CVSS 3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
n/aSpring FrameworkSpring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions
n/aSpring FrameworkSpring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions, Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions

Timeline

  • Apr 1, 2022 CVE Published
  • Oct 21, 2023 PoC Published
  • Nov 17, 2024 PoC Published
  • Oct 21, 2025 CVE Updated
  • Apr 13, 2026 PoC Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›