GHSA-vpr3-f594-mg5g, CVE-2010-1622
maven/org.springframework/spring
Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
All versions starting from 2.5.0 up to 2.5.6, all versions starting from 3.0.0 up to 3.0.2
Upgrade to versions 2.5.7, 3.0.3 or above.
2022-06-19
source |