CVE-2022-22965
| CVE Published | 2022-04-01 |
|---|---|
| Related CWE(s) | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Related Vendor(s) | oracle, veritas, vmware, siemens, cisco |
| Related Product(s) | communications_cloud_native_core_network_slice_selection_function, operation_scheduler, access_appliance, retail_xstore_point_of_service, financial_services_behavior_detection_platform, retail_integration_bus, communications_cloud_native_core_automated_test_suite, flex_appliance, communications_cloud_native_core_network_repository_function, spring_framework, sipass_integrated, communications_cloud_native_core_unified_data_repository, sd-wan_edge, communications_cloud_native_core_network_exposure_function, communications_unified_inventory_management, communications_cloud_native_core_network_function_cloud_native_environment, communications_policy_management, communications_cloud_native_core_console, retail_financial_integration, siveillance_identity, sinec_network_management_system, netbackup_appliance, financial_services_analytical_applications_infrastructure, netbackup_virtual_appliance, retail_merchandising_system, communications_cloud_native_core_binding_support_function, cx_cloud_agent, communications_cloud_native_core_policy, financial_services_enterprise_case_management, netbackup_flex_scale_appliance, mysql_enterprise_monitor, product_lifecycle_analytics, commerce_platform, communications_cloud_native_core_security_edge_protection_proxy, retail_customer_management_and_segmentation_foundation, retail_bulk_data_integration, weblogic_server, simatic_speech_assistant_for_machines |
| Exploitation Reported (CISA KEV) | 2022-04-04 |
| CVSS 3 Base Score | 9.8 (CRITICAL) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | NETWORK |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph
Threat Reports Related to CVE-2022-22965
Report
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...