Spring - Remote Code Execution (CVE-2022-22980)
- Severity
- CVSSv3 Score
- 9.8
- Exploitable with Sniper
- No
- Vulnerability description
Spring framework is affected by a Remote Code Execution vulnerability in the Spring Data, affecting the MongoDB applications. The vulnerability affects applications that are using repository query methods that are annotated with
@Query
or@Aggregation
and use parametrized SpEL (Spring Expression Language) statements. A specific exploit requires the usage of non-sanitized input to the repository query method. This may potentially cause remote code execution, allowing a malicious unauthenticated attacker to execute arbitrary code on the server.- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Spring Framework to steal confidential information, install ransomware, or pivot to the internal network.
- Recommendation
Upgrade the Spring Framework to the latest version.
- Detectable with
- Network Scanner
- Vuln date
- Jun 2022
- Published at
- Updated at
- Software Type
- Web framework
- Vendor
- VMware
- Product
- Spring
- Codename
- Not available