A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.
For those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*"
For full implementation details, see Spring's early announcement post in the "suggested workarounds" section: <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds>
bugzilla.redhat.com/show_bug.cgi?id=2070348
nvd.nist.gov/vuln/detail/CVE-2022-22965
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
tanzu.vmware.com/security/cve-2022-22965
www.cve.org/CVERecord?id=CVE-2022-22965
www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html
www.praetorian.com/blog/spring-core-jdk9-rce/