A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
History

Wed, 29 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-04-04'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Fri, 18 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
CPEs cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*
Vendors & Products Oracle jdk

Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2022-04-01T22:17:30.000Z

Updated: 2025-01-29T17:52:44.731Z

Reserved: 2022-01-10T00:00:00.000Z

Link: CVE-2022-22965

cve-icon Vulnrichment

Updated: 2024-08-03T03:28:42.725Z

cve-icon NVD

Status : Modified

Published: 2022-04-01T23:15:13.870

Modified: 2025-01-29T18:15:44.133

Link: CVE-2022-22965

cve-icon Redhat

Severity : Important

Publid Date: 2022-03-30T00:00:00Z

Links: CVE-2022-22965 - Bugzilla