CVE-2022-22963
Description
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
94.462
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2022-22963 are fixed in spring-cloud-function-context 3.2.3 | Windows |
| Vulnerabilities CVE-2022-22963 are fixed in spring-cloud-function-context 3.1.7 | Windows |
| Vulnerabilities CVE-2022-22963 are fixed in spring-cloud-function-context for Linux 3.2.3 | Linux |
| Vulnerabilities CVE-2022-22963 are fixed in spring-cloud-function-context for Linux 3.1.7 | Linux |
| Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection) Vulnerability (CVE-2022-22963) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234