CVE-2022-22963
| CVE Published | 2022-04-01 |
|---|---|
| Related CWE(s) | CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection'), CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Related Vendor(s) | vmware, oracle |
| Related Product(s) | communications_cloud_native_core_network_slice_selection_function, retail_xstore_point_of_service, financial_services_behavior_detection_platform, communications_cloud_native_core_automated_test_suite, communications_communications_policy_management, communications_cloud_native_core_network_repository_function, sd-wan_edge, communications_cloud_native_core_unified_data_repository, spring_cloud_function, banking_corporate_lending_process_management, banking_trade_finance_process_management, banking_electronic_data_exchange_for_corporates, communications_cloud_native_core_network_exposure_function, communications_cloud_native_core_network_function_cloud_native_environment, banking_origination, communications_cloud_native_core_console, financial_services_analytical_applications_infrastructure, communications_cloud_native_core_policy, banking_branch, financial_services_enterprise_case_management, banking_liquidity_management, mysql_enterprise_monitor, banking_credit_facilities_process_management, product_lifecycle_analytics, banking_virtual_account_management, communications_cloud_native_core_security_edge_protection_proxy, banking_cash_management, banking_supply_chain_finance |
| Exploitation Reported (CISA KEV) | 2022-08-25 |
| CVSS 3 Base Score | 9.8 (CRITICAL) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | NETWORK |
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph