CVE-2022-22963

Improper Control of Generation of Code ('Code Injection') in maven/org.springframework.cloud/spring-cloud-function-context

Identifiers

GHSA-6v73-fgf6-w5j7, CVE-2022-22963

Package Slug

maven/org.springframework.cloud/spring-cloud-function-context

Vulnerability

Improper Control of Generation of Code ('Code Injection')

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Affected Versions

All versions starting from 3.2.0 before 3.2.3, all versions before 3.1.7

Solution

Upgrade to version 3.1.7 or above.

Last Modified

2022-05-04

source