Skip to the content.

DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963

Our reference DIVD-2022-00024
Case lead Victor Pasman
Author Pepijn van der Stap
Researcher(s)
CVE(s)
Product Spring Cloud Function
Versions versions prior to 3.1.7 and 3.2.3
Recommendation If you receive an email from DIVD referring to this case, the vulnerability has been confirmed. You should update the application to the newest versions 3.1.7 & 3.2.3.
Patch status Available
Status Open
Last modified 02 Apr 2022 14:29

Summary

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in remote code execution and access to local resources.

What you can do

What we are doing

Timeline

Date Description
31 Mar 2022 DIVD starts investigating the scope and impact of the vulnerability.
02 Apr 2022 First version of this case file.
gantt title DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963 (still open) :2022-03-31, 2022-05-23 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-03-31, 0d First version of this case file. : milestone, 2022-04-02, 0d

More information