Spring4Shell

spring4shell

Severity

critical

Kind

Remote Code Execution

CWE

Description

The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.

Rationale

Spring4Shell exploits unsafe data binding in Spring Framework to achieve remote code execution without authentication. Attackers manipulate request parameters to access Java class properties and modify application classloader settings, ultimately writing malicious JSP files to the web root. This allows complete server takeover, enabling attackers to steal data, install backdoors, pivot to internal networks, or deploy ransomware.

Remediation

Upgrade Spring Framework to versions 5.3.18, 5.2.20, or newer.

References

CWE-78
OWASP Top 10 2021 - A03:2021 : Injection
OWASP Top 10 2021 - A06:2021 : Vulnerable and Outdated Components
CVE 2022 22965
spring4shell zero day vulnerability in spring framework
#vulnerability
cve 2022 22965