9.8
CVE-2022-22963
- EPSS 94.46%
- Veröffentlicht 01.04.2022 23:15:13
- Zuletzt bearbeitet 13.03.2025 16:36:53
- Quelle security@vmware.com
- Teams Watchlist Login
- Unerledigt Login
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Cloud Function Version <= 3.1.6
VMware ≫ Spring Cloud Function Version >= 3.2.0 <= 3.2.2
Oracle ≫ Banking Branch Version14.5
Oracle ≫ Banking Cash Management Version14.5
Oracle ≫ Banking Corporate Lending Process Management Version14.5
Oracle ≫ Banking Credit Facilities Process Management Version14.5
Oracle ≫ Banking Electronic Data Exchange For Corporates Version14.5
Oracle ≫ Banking Liquidity Management Version14.2
Oracle ≫ Banking Liquidity Management Version14.5
Oracle ≫ Banking Origination Version14.5
Oracle ≫ Banking Supply Chain Finance Version14.5
Oracle ≫ Banking Trade Finance Process Management Version14.5
Oracle ≫ Banking Virtual Account Management Version14.5
Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0
Oracle ≫ Communications Cloud Native Core Automated Test Suite Version22.1.0
Oracle ≫ Communications Cloud Native Core Console Version1.9.0
Oracle ≫ Communications Cloud Native Core Console Version22.1.0
Oracle ≫ Communications Cloud Native Core Network Exposure Function Version22.1.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.15.0
Oracle ≫ Communications Cloud Native Core Network Repository Function Version22.1.0
Oracle ≫ Communications Cloud Native Core Policy Version1.15.0
Oracle ≫ Communications Cloud Native Core Policy Version22.1.0
Oracle ≫ Communications Cloud Native Core Policy Version22.1.3
Oracle ≫ Communications Cloud Native Core Unified Data Repository Version1.15.0
Oracle ≫ Communications Cloud Native Core Unified Data Repository Version22.1.0
Oracle ≫ Communications Communications Policy Management Version12.6.0.0.0
Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.1.1.0
Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.1.2.0
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.1.0
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.1.1
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.2.0
Oracle ≫ Financial Services Enterprise Case Management Version8.1.1.0
Oracle ≫ Financial Services Enterprise Case Management Version8.1.1.1
Oracle ≫ Financial Services Enterprise Case Management Version8.1.2.0
Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29
Oracle ≫ Product Lifecycle Analytics Version3.6.1.0
Oracle ≫ Retail Xstore Point Of Service Version20.0.1
Oracle ≫ Retail Xstore Point Of Service Version21.0.0
Oracle ≫ Sd-wan Edge Version9.0
Oracle ≫ Sd-wan Edge Version9.1
25.08.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
SchwachstelleWhen using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.46% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.