In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 06:47
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | () https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 - Third Party Advisory | |
References | () https://tanzu.vmware.com/security/cve-2022-22963 - Vendor Advisory | |
References | () https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
28 Jun 2024, 14:08
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html - Exploit, Third Party Advisory, VDB Entry |
13 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jul 2023, 17:11
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-917 |
28 Jul 2022, 18:26
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* |
25 Jul 2022, 18:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Apr 2022, 13:16
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 - Third Party Advisory | |
References | (MISC) https://tanzu.vmware.com/security/cve-2022-22963 - Vendor Advisory | |
References | (CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH - Third Party Advisory | |
CWE | CWE-94 | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* |
02 Apr 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Apr 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-01 23:15
Updated : 2024-11-21 06:47
NVD link : CVE-2022-22963
Mitre link : CVE-2022-22963
CVE.ORG link : CVE-2022-22963
JSON object : View
Products Affected
oracle
- banking_corporate_lending_process_management
- communications_cloud_native_core_network_repository_function
- banking_liquidity_management
- financial_services_behavior_detection_platform
- banking_branch
- banking_origination
- communications_cloud_native_core_network_slice_selection_function
- product_lifecycle_analytics
- banking_supply_chain_finance
- financial_services_analytical_applications_infrastructure
- sd-wan_edge
- communications_cloud_native_core_network_function_cloud_native_environment
- communications_communications_policy_management
- banking_credit_facilities_process_management
- banking_trade_finance_process_management
- communications_cloud_native_core_network_exposure_function
- retail_xstore_point_of_service
- banking_electronic_data_exchange_for_corporates
- communications_cloud_native_core_unified_data_repository
- communications_cloud_native_core_security_edge_protection_proxy
- financial_services_enterprise_case_management
- banking_virtual_account_management
- communications_cloud_native_core_policy
- communications_cloud_native_core_automated_test_suite
- mysql_enterprise_monitor
- communications_cloud_native_core_console
- banking_cash_management
vmware
- spring_cloud_function