In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vmware spring cloud function |
||
oracle banking branch 14.5 |
||
oracle banking cash management 14.5 |
||
oracle banking corporate lending process management 14.5 |
||
oracle banking credit facilities process management 14.5 |
||
oracle banking electronic data exchange for corporates 14.5 |
||
oracle banking liquidity management 14.2 |
||
oracle banking liquidity management 14.5 |
||
oracle banking origination 14.5 |
||
oracle banking supply chain finance 14.5 |
||
oracle banking trade finance process management 14.5 |
||
oracle banking virtual account management 14.5 |
||
oracle communications cloud native core automated test suite 1.9.0 |
||
oracle communications cloud native core automated test suite 22.1.0 |
||
oracle communications cloud native core console 1.9.0 |
||
oracle communications cloud native core console 22.1.0 |
||
oracle communications cloud native core network exposure function 22.1.0 |
||
oracle communications cloud native core network function cloud native environment 1.10.0 |
||
oracle communications cloud native core network function cloud native environment 22.1.0 |
||
oracle communications cloud native core network function cloud native environment 22.1.2 |
||
oracle communications cloud native core network repository function 1.15.0 |
||
oracle communications cloud native core network repository function 22.1.0 |
||
oracle communications cloud native core network slice selection function 1.8.0 |
||
oracle communications cloud native core network slice selection function 22.1.0 |
||
oracle communications cloud native core policy 1.15.0 |
||
oracle communications cloud native core policy 22.1.0 |
||
oracle communications cloud native core policy 22.1.3 |
||
oracle communications cloud native core security edge protection proxy 1.7.0 |
||
oracle communications cloud native core security edge protection proxy 22.1.0 |
||
oracle communications cloud native core unified data repository 1.15.0 |
||
oracle communications cloud native core unified data repository 22.1.0 |
||
oracle communications communications policy management 12.6.0.0.0 |
||
oracle financial services analytical applications infrastructure 8.1.1.0 |
||
oracle financial services analytical applications infrastructure 8.1.2.0 |
||
oracle financial services behavior detection platform 8.1.1.0 |
||
oracle financial services behavior detection platform 8.1.1.1 |
||
oracle financial services behavior detection platform 8.1.2.0 |
||
oracle financial services enterprise case management 8.1.1.0 |
||
oracle financial services enterprise case management 8.1.1.1 |
||
oracle financial services enterprise case management 8.1.2.0 |
||
oracle mysql enterprise monitor |
||
oracle product lifecycle analytics 3.6.1.0 |
||
oracle retail xstore point of service 20.0.1 |
||
oracle retail xstore point of service 21.0.0 |
||
oracle sd-wan edge 9.0 |
||
oracle sd-wan edge 9.1 |
Symantec products will protect against attempted exploits of Spring4Shell vulnerability.
Posted: 31 Mar, 20223 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinSpring4Shell: New Zero-day RCE Vulnerability Uncovered in Java FrameworkSymantec products will protect against attempted exploits of Spring4Shell vulnerability.A zero-day vulnerability in the Spring Core Java framework that could allow for unauthenticated remote code execution (RCE) on vulnerable applications was publicly disclosed on March 30, before a patch wa...
Last week researchers found the critical vulnerability CVE-2022-22965 in Spring – the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework’s popularity. By analogy with the infamous Log4Shell threat, the vulnerability was named Spring4Shell. CVE-2022-22965 and CVE-2022-22963: technical details CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in ...
Get our weekly newsletter You didn't have any plans for the weekend anyway, did you?
Another Java Remote Code Execution vulnerability has reared its head, this time in the popular Spring Framework and, goodness, it's a nasty one. Dubbed "Springshell" or "Spring4Shell", the vulnerability requires an endpoint with DataBinder enabled. "For example," explained security shop Praetorian, "when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk." "Spring have ack...