Vulnerabilities / Spring Cloud SPEL Code Injection (CVE-2022-22963)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
↓
A remote code execution vulnerability (RCE) allows the attacker to execute arbitrary code and operating system commands on the server. In the worst-case scenario, the attacker will be able to fully compromise the server, extract sensitive data, modify the application contents or delete data.
The Spring Cloud versions 3.1.6 and 3.2.2, or below, if using the routing functionality, are vulnerable to RCE, identified as CVE-2022-22963. The vulnerability can be exploited with a specially crafted SpEL (short for Spring Expression Language) that results in remote code execution and access to local resources.
How to fix
-
To fix this vulnerability, you need to update all instances of the Spring Cloud to version to versions 3.1.7 or 3.2.3, depending on your branch.