HomePentest-Tools.com Logo

Spring - Remote Code Execution (CVE-2022-22980)

Severity
CVSSv3 Score
9.8
Exploitable with Sniper
No
Vulnerability description

Spring framework is affected by a Remote Code Execution vulnerability in the Spring Data, affecting the MongoDB applications. The vulnerability affects applications that are using repository query methods that are annotated with @Query or @Aggregation and use parametrized SpEL (Spring Expression Language) statements. A specific exploit requires the usage of non-sanitized input to the repository query method. This may potentially cause remote code execution, allowing a malicious unauthenticated attacker to execute arbitrary code on the server.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Spring Framework to steal confidential information, install ransomware, or pivot to the internal network.

Recommendation

Upgrade the Spring Framework to the latest version.

Detectable with
Network Scanner
Vuln date
Jun 2022
Published at
Updated at
Software Type
Web framework
Vendor
VMware
Product
Spring
Codename
Not available