9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-22965

GHSA ID

GHSA-36p3-wjmg-h94x

EPSS Score

CWE

CWE-74

Published

3/31/2022

Updated

1/29/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-22965

CVE-2022-22965:
Remote Code Execution in Spring Framework

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency

Patches

Spring Framework 5.3.18 and 5.2.20
Spring Boot 2.6.6 and 2.5.12

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-22965

GHSA ID

GHSA-36p3-wjmg-h94x

EPSS Score

CWE

CWE-74

Published

3/31/2022

Updated

1/29/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-beans	maven	>= 5.3.0, < 5.3.18	5.3.18
org.springframework:spring-webmvc	maven	>= 5.3.0, < 5.3.18	5.3.18
org.springframework.boot:spring-boot-starter-web	maven	< 2.5.12	2.5.12
org.springframework.boot:spring-boot-starter-web	maven	>= 2.6.0, < 2.6.6	2.6.6
org.springframework:spring-webflux	maven	>= 5.3.0, < 5.3.18	5.3.18
org.springframework.boot:spring-boot-starter-webflux	maven	< 2.5.12	2.5.12
org.springframework.boot:spring-boot-starter-webflux	maven	>= 2.6.0, < 2.6.6	2.6.6
org.springframework:spring-beans	maven	< 5.2.20.RELEASE	5.2.20.RELEASE
org.springframework:spring-webmvc	maven	< 5.2.20.RELEASE	5.2.20.RELEASE
org.springframework:spring-webflux	maven	< 5.2.20.RELEASE	5.2.20.RELEASE

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper PropertyDescriptor filtering in Spring's data binding mechanism. The commit 002546b shows the original code allowed binding to Class.class properties except 'classLoader'/'protectionDomain' by name, but didn't check property types. Attackers could exploit this by accessing ClassLoader/ProtectionDomain properties through alternative property paths or interface inheritance. The vulnerable functions are directly responsible for processing property descriptors during object binding, making them the root cause of the RCE vulnerability when combined with JDK 9+ and Tomcat WAR deployment.

Vulnerable functions

CachedIntrospectionResults.CachedIntrospectionResults(Class<?>)

spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java

The constructor processes PropertyDescriptors without properly filtering ClassLoader and ProtectionDomain types prior to patching, allowing attackers to bind malicious parameters to these sensitive properties during data binding.

CachedIntrospectionResults.introspectInterfaces

spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java

This method processed interface properties without adequate filtering of ClassLoader/ProtectionDomain types, enabling access to dangerous properties through derived interfaces.

WAF Protection Rules

WAF Rule

Sprin* *r*m*work prior to v*rsions *.*.** *n* *.*.** *ont*ins * r*mot* *o** *x**ution vuln*r**ility known *s `Sprin**S**ll`. ## Imp**t * Sprin* MV* or Sprin* W***lux *ppli**tion runnin* on J*K *+ m*y ** vuln*r**l* to r*mot* *o** *x**ution (R**) vi

Reasoning

T** vuln*r**ility st*ms *rom improp*r Prop*rty**s*riptor *ilt*rin* in Sprin*'s **t* *in*in* m****nism. T** *ommit ******* s*ows t** ori*in*l *o** *llow** *in*in* to *l*ss.*l*ss prop*rti*s *x**pt '*l*ssLo***r'/'prot**tion*om*in' *y n*m*, *ut *i*n't **

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-22965: Remote Code Execution in Spring Framework

Impact

Patches

Workarounds

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-22965:
Remote Code Execution in Spring Framework

Vulnerability Intelligence
Miggo AI