GitHub Advisory DatabaseGHSA-VPR3-F594-MG5GImproper Control of Generation of Code ('Code Injection') in Spring Framework
9.6 High
AI Score
Confidence
High
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.036 Low
EPSS
Percentile
91.6%
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.springframework:spring | le | 3.0.2 | |
| org.springframework:spring | le | 2.5.6 |
References
geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
geronimo.apache.org/21x-security-report.html
geronimo.apache.org/22x-security-report.html
www.exploit-db.com/exploits/13918
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
www.redhat.com/support/errata/RHSA-2011-0175.html
access.redhat.com/errata/RHSA-2011:0175
access.redhat.com/security/cve/CVE-2010-1622
bugzilla.redhat.com/show_bug.cgi?id=606706
github.com/advisories/GHSA-vpr3-f594-mg5g
github.com/spring-projects/spring-framework/commit/3a5af35d37c79d0644d49b93f792a4c18fe8eb71
nvd.nist.gov/vuln/detail/CVE-2010-1622
seclists.org/fulldisclosure/2010/Jun/456
web.archive.org/web/20100623011648/www.springsource.com/security/cve-2010-1622
web.archive.org/web/20161014113129/www.securitytracker.com/id/1033898
web.archive.org/web/20200227210033/www.securityfocus.com/archive/1/511877
web.archive.org/web/20200228060816/www.securityfocus.com/bid/40954
Related
9.6 High
AI Score
Confidence
High
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.036 Low
EPSS
Percentile
91.6%