CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Severity	CRITICAL
CVSS	9.8
CWE	CWE-94
KEV	KEV (added 4 years ago)
Published	4 years ago
Modified	6 months ago

Related Products

Product	Advisory	Evidence
Cisco Unity Connection	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Unity	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Unified Communications Manager IM and Presence Service	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Unified Communications Manager / Cisco Unity Connection	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Unified Communications Manager	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Secure Firewall Threat Defense (FTD) Software	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Secure Firewall Management Center (FMC)	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Prime License Manager	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Prime Collaboration Deployment	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Prime Collaboration	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco IoT Field Network Director (IoT-FND)	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco HyperFlex HX Data Platform	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Firepower Threat Defense Software	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Firepower Management Center	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Evolved Programmable Network Manager (EPNM)	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln
Cisco Emergency Responder	cisco-sa-java-spring-rce-Zx9GUc67	Cisco OpenVuln