Spring MVC and Spring WebFlux applications, when packaged as a traditional WAR file, running on JDK version 9 and higher in an Apache Tomcat servlet container and exposing one or more endpoints with DataBinder enabled, suffer from a Remote Code Execution (RCE) vulnerability.
By crafting a specific HTTP request, an attacker could leverage the vulnerability to compromise the target by, for example, hosting a web shell on the target application.
No source data
Vendor | Product | Version | CPE |
---|---|---|---|
vmware | spring_security | * | cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* |