We use cookies to improve your experience on our site.
AVID-2026-R0960
Description
Vulnerability CVE-2022-22965
Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Reason for inclusion in AVID: CVE-2022-22965 (Spring4Shell) is a remote code execution vulnerability in the Spring Framework that can affect Java-based web services, including those used to serve AI models or provide AI-related APIs. It concerns a software dependency used in general-purpose AI system stacks (e.g., backend services, model-serving frontends) and represents a security vulnerability in the software supply chain for AI deployments. The report provides explicit vulnerability behavior (RCE), affected components, and references, satisfying sufficient evidence.
References
- NVD entry
- https://tanzu.vmware.com/security/cve-2022-22965
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | Spring Framework |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-04-01
- Version: 0.3.3
- AVID Entry