A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Fri, 18 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
CPEs cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*
Vendors & Products Oracle jdk

Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2022-04-01T22:17:30

Updated: 2024-08-03T03:28:42.725Z

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-22965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-04-01T23:15:13.870

Modified: 2024-11-21T06:47:42.050

Link: CVE-2022-22965

cve-icon Redhat

Severity : Important

Publid Date: 2022-03-30T00:00:00Z

Links: CVE-2022-22965 - Bugzilla