DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in remote code execution and access to local resources.
What you can do
- If you’re using the Spring Cloud Function library, you should upgrade to 3.1.7+ or 3.2.3+ to prevent exploitation.
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
31 Mar 2022
DIVD starts investigating the scope and impact of the vulnerability.
02 Apr 2022
First version of this case file.
title DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963
axisFormat %e %b %Y
DIVD-2022-00024 - Spring Cloud RCE - CVE-2022-22963 (still open) :2022-03-31, 2022-05-23
DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-03-31, 0d
First version of this case file. : milestone, 2022-04-02, 0d