SpringSource Spring Framework 2.5.x prior to 2.5.6.SEC02, 2.5.7 prior to 2.5.7.SR01, and 3.0.x prior to 3.0.3 allows remote malicious users to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
oracle fusion middleware 11.1.1.8.0 |
||
oracle fusion middleware 7.6.2 |
||
oracle fusion middleware 11.1.1.6.1 |
||
springsource spring framework 2.5.0 |
||
springsource spring framework 3.0.1 |
||
springsource spring framework 2.5.3 |
||
springsource spring framework 3.0.2 |
||
springsource spring framework 2.5.5 |
||
springsource spring framework 2.5.6 |
||
springsource spring framework 2.5.4 |
||
springsource spring framework 2.5.2 |
||
springsource spring framework 2.5.7 |
||
springsource spring framework 3.0.0 |
||
springsource spring framework 2.5.1 |
Last week researchers found the critical vulnerability CVE-2022-22965 in Spring – the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework’s popularity. By analogy with the infamous Log4Shell threat, the vulnerability was named Spring4Shell. CVE-2022-22965 and CVE-2022-22963: technical details CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in ...