In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html | |
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 | Third Party Advisory |
https://tanzu.vmware.com/security/cve-2022-22963 | Vendor Advisory |
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
13 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jul 2023, 17:11
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-917 |
28 Jul 2022, 18:26
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle banking Virtual Account Management
Oracle communications Cloud Native Core Unified Data Repository Oracle banking Cash Management Oracle communications Cloud Native Core Network Repository Function Oracle banking Corporate Lending Process Management Oracle retail Xstore Point Of Service Oracle banking Branch Oracle banking Liquidity Management Oracle Oracle financial Services Behavior Detection Platform Oracle mysql Enterprise Monitor Oracle communications Cloud Native Core Policy Oracle communications Cloud Native Core Console Oracle product Lifecycle Analytics Oracle communications Cloud Native Core Network Exposure Function Oracle sd-wan Edge Oracle communications Cloud Native Core Automated Test Suite Oracle communications Communications Policy Management Oracle communications Cloud Native Core Network Slice Selection Function Oracle communications Cloud Native Core Network Function Cloud Native Environment Oracle banking Trade Finance Process Management Oracle banking Credit Facilities Process Management Oracle banking Supply Chain Finance Oracle financial Services Enterprise Case Management Oracle banking Electronic Data Exchange For Corporates Oracle banking Origination Oracle communications Cloud Native Core Security Edge Protection Proxy Oracle financial Services Analytical Applications Infrastructure |
|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Apr 2022, 13:16
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
First Time |
Vmware
Vmware spring Cloud Function |
|
CWE | CWE-94 | |
References | (CONFIRM) https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 - Third Party Advisory | |
References | (CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH - Third Party Advisory | |
References | (MISC) https://tanzu.vmware.com/security/cve-2022-22963 - Vendor Advisory |
02 Apr 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Apr 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-01 23:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-22963
Mitre link : CVE-2022-22963
CVE.ORG link : CVE-2022-22963
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_security_edge_protection_proxy
- banking_liquidity_management
- banking_virtual_account_management
- communications_cloud_native_core_network_repository_function
- banking_branch
- banking_supply_chain_finance
- banking_cash_management
- communications_cloud_native_core_policy
- banking_origination
- banking_corporate_lending_process_management
- banking_electronic_data_exchange_for_corporates
- sd-wan_edge
- financial_services_analytical_applications_infrastructure
- banking_credit_facilities_process_management
- mysql_enterprise_monitor
- banking_trade_finance_process_management
- communications_cloud_native_core_network_slice_selection_function
- communications_cloud_native_core_network_function_cloud_native_environment
- financial_services_behavior_detection_platform
- product_lifecycle_analytics
- financial_services_enterprise_case_management
- communications_cloud_native_core_automated_test_suite
- retail_xstore_point_of_service
- communications_cloud_native_core_unified_data_repository
- communications_cloud_native_core_console
- communications_communications_policy_management
- communications_cloud_native_core_network_exposure_function
vmware
- spring_cloud_function