9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.
Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.
NCSC-NL has a list of products and their statuses with respect to this vulnerability.
By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.
This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.
This issue was publicly disclosed by heige.
This document was written by Will Dormann
970766
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-06 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-08
Statement Date: April 07, 2022
CVE-2022-22965 | Affected |
---|
Cisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title “Spring Expression DoS Vulnerability”. We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.
Updated: 2022-04-20 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Updated: 2022-04-13 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Updated: 2022-04-27 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-06
Statement Date: April 04, 2022
CVE-2022-22965 | Affected |
---|
We have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: • Security Event Manager (SEM) • Database Performance Analyzer (DPA) • Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.
Notified: 2022-03-31 Updated: 2022-03-31
Statement Date: March 31, 2022
CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-03 CVE-2022-22965 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-08
Statement Date: April 07, 2022
CVE-2022-22965 | Not Affected |
---|
Aruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt
Updated: 2022-04-12 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-01 Updated: 2022-04-20
Statement Date: April 15, 2022
CVE-2022-22965 | Not Affected |
---|
F5 products and services and NGINX products are not affected by CVE-2022-22965.
Notified: 2022-04-06 Updated: 2022-04-02 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-08
Statement Date: April 08, 2022
CVE-2022-22965 | Not Affected |
---|
No Red Hat products are affected by CVE-2022-22963.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-06 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-08
Statement Date: April 06, 2022
CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-08
Statement Date: April 08, 2022
CVE-2022-22965 | Not Affected |
---|
The UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-04-01 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Updated: 2022-04-12 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-11 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-05-19
Statement Date: May 17, 2022
CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965 | Unknown |
---|
We have not received a statement from the vendor.
View all 39 vendors __View less vendors __
CVE IDs: | CVE-2022-22965 |
---|---|
Date Public: | 2022-03-30 Date First Published: |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%