All Vulnerability Reports

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression


Severity

Critical

Vendor

Spring by VMware

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • Spring Cloud Function
    • 3.1.6
    • 3.2.2
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. Releases that have fixed this issue include:

  • Spring Cloud Function
    • 3.1.7
    • 3.2.3

Credit

This vulnerability was initially discovered and responsibly reported by m09u3r.

References

History

2022-03-29: Initial vulnerability report published.
2022-03-31: Updates to description, severity and references.