DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963
| Our reference | DIVD-2022-00024 |
| Case lead | Victor Pasman |
| Author | Pepijn van der Stap |
| Researcher(s) |
|
| CVE(s) | |
| Product | Spring Cloud Function |
| Versions | versions prior to 3.1.7 and 3.2.3 |
| Recommendation | If you receive an email from DIVD referring to this case, the vulnerability has been confirmed. You should update the application to the newest versions 3.1.7 & 3.2.3. |
| Patch status | Available |
| Status | Closed |
| Last modified | 13 Mar 2023 12:49 |
Summary
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in remote code execution and access to local resources.
What you can do
- If you’re using the Spring Cloud Function library, you should upgrade to 3.1.7+ or 3.2.3+ to prevent exploitation.
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
Timeline
| Date | Description |
|---|---|
| 31 Mar 2022 | DIVD starts investigating the scope and impact of the vulnerability. |
| 02 Apr 2022 | First version of this case file. |
gantt
title DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963 (175 days) :2022-03-31, 2022-09-22
section Events
DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-03-31, 0d
First version of this case file. : milestone, 2022-04-02, 0d