CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇬🇧 English

CVE-2022-22963

CVSS 9.8v3.1pub. 2022-04-01upd. 2025-10-30

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Banking Branch

    APP
    Oracle
    14.5
  • Oracle Banking Cash Management

    APP
    Oracle
    14.5
  • Oracle Banking Corporate Lending Process Management

    APP
    Oracle
    14.5
  • Oracle Banking Credit Facilities Process Management

    APP
    Oracle
    14.5
  • Oracle Banking Electronic Data Exchange For Corporates

    APP
    Oracle
    14.5
  • Oracle Banking Liquidity Management

    APP
    Oracle
    14.214.5
  • Oracle Banking Origination

    APP
    Oracle
    14.5
  • Oracle Banking Supply Chain Finance

    APP
    Oracle
    14.5
  • Oracle Banking Trade Finance Process Management

    APP
    Oracle
    14.5
  • Oracle Banking Virtual Account Management

    APP
    Oracle
    14.5
  • Oracle Communications Cloud Native Core Automated Test Suite

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Console

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Network Exposure Function

    APP
    Oracle
    22.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment

    APP
    Oracle
    1.10.022.1.022.1.2
  • Oracle Communications Cloud Native Core Network Repository Function

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.8.022.1.0
  • Oracle Communications Cloud Native Core Policy

    APP
    Oracle
    1.15.022.1.022.1.3
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy

    APP
    Oracle
    1.7.022.1.0
  • Oracle Communications Cloud Native Core Unified Data Repository

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Communications Policy Management

    APP
    Oracle
    12.6.0.0.0
  • Oracle Financial Services Analytical Applications Infrastructure

    APP
    Oracle
    8.1.1.08.1.2.0
  • Oracle Financial Services Behavior Detection Platform

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle Financial Services Enterprise Case Management

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    ≤ 8.0.29
  • Oracle Product Lifecycle Analytics

    APP
    Oracle
    3.6.1.0
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    20.0.121.0.0
  • Oracle Sd Wan Edge

    APP
    Oracle
    9.09.1
  • VMware Spring Cloud Function

    APP
    Vmware
    ≤ 3.1.63.2.0 – 3.2.2

CISA KEV — szczegółyi

Dostawcai
VMware Tanzu
Produkti
Spring Cloud
Data dodania do KEVi
25 sierpnia 2022
Termin remediation (USA)i
15 września 2022(po terminie)
Wymagana akcja (CISA)i

Zastosuj aktualizacje zgodnie z instrukcjami producenta.

tłumaczenie AI
Pokaż oryginał (EN)

Apply updates per vendor instructions.

Opis CISAi

Podczas korzystania z funkcjonalności routingu w VMware Tanzu Spring Cloud Function użytkownik może dostarczyć specjalnie przygotowany SpEL jako routing-expression, co może prowadzić do zdalnego wykonania kodu i dostępu do lokalnych zasobów.

tłumaczenie AI
Pokaż oryginał (EN)

When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

🔴
NATYCHMIASTOWE DZIAŁANIE
Aktywnie wykorzystywane w atakach (CISA KEV). Załataj jak najszybciej.
CISA DEADLINE: 15 września 2022
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2020-1938CRITICAL9.8⚠ KEVten sam produkt

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...

CVE-2017-1000353CRITICAL9.8⚠ KEVten sam produkt

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...

CVE-2022-22963 — CRITICAL 9.8 | CVEbaza.pl