Executive Summary

Summary
Title Spring Framework insecurely handles PropertyDescriptor objects with data binding
Informations
Name VU#970766 First vendor Publication 2022-03-31
Vendor VU-CERT Last vendor Modification 2022-05-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.

Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.

NCSC-NL has a list of products and their statuses with respect to this vulnerability.

Impact

By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.

Solution

Apply an update

This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.

Acknowledgements

This issue was publicly disclosed by heige.

This document was written by Will Dormann

Original Source

Url : https://kb.cert.org/vuls/id/970766

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 88

SAINT Exploits

Description Link
Spring Framework Data Binding vulnerability More info here

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Date Informations
2022-10-05 02:19:02
  • Multiple Updates
2022-10-05 00:34:46
  • Multiple Updates
2022-10-05 00:22:01
  • Multiple Updates
2022-05-20 00:36:04
  • Multiple Updates
2022-05-19 21:34:48
  • Multiple Updates
2022-05-19 21:21:59
  • Multiple Updates
2022-04-28 02:12:56
  • Multiple Updates
2022-04-28 00:31:49
  • Multiple Updates
2022-04-28 00:17:46
  • Multiple Updates
2022-04-20 21:30:15
  • Multiple Updates
2022-04-20 17:30:11
  • Multiple Updates
2022-04-20 17:17:43
  • Multiple Updates
2022-04-14 00:29:44
  • Multiple Updates
2022-04-13 21:30:07
  • Multiple Updates
2022-04-13 21:17:42
  • Multiple Updates
2022-04-12 21:28:50
  • Multiple Updates
2022-04-12 17:29:53
  • Multiple Updates
2022-04-12 17:17:46
  • Multiple Updates
2022-04-11 21:30:09
  • Multiple Updates
2022-04-11 17:29:44
  • Multiple Updates
2022-04-11 17:17:42
  • Multiple Updates
2022-04-09 02:12:26
  • Multiple Updates
2022-04-09 00:30:16
  • Multiple Updates
2022-04-09 00:17:43
  • Multiple Updates
2022-04-08 21:30:18
  • Multiple Updates
2022-04-07 05:29:53
  • Multiple Updates
2022-04-07 05:17:41
  • Multiple Updates
2022-04-06 21:30:05
  • Multiple Updates
2022-04-06 21:17:42
  • Multiple Updates
2022-04-05 17:29:46
  • Multiple Updates
2022-04-05 17:17:42
  • Multiple Updates
2022-04-05 05:29:43
  • Multiple Updates
2022-04-05 05:17:42
  • Multiple Updates
2022-04-04 05:29:34
  • Multiple Updates
2022-04-04 05:17:39
  • Multiple Updates
2022-04-03 05:29:46
  • Multiple Updates
2022-04-03 05:17:41
  • Multiple Updates
2022-04-03 00:29:47
  • Multiple Updates
2022-04-03 00:17:40
  • Multiple Updates
2022-04-01 21:17:40
  • Multiple Updates
2022-03-31 17:17:41
  • First insertion