CVE-2022-22965: Remote Code Execution in Spring Framework

March 31, 2022 (updated January 29, 2025)

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

References

cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
github.com/advisories/GHSA-36p3-wjmg-h94x
github.com/spring-projects/spring-boot/releases/tag/v2.5.12
github.com/spring-projects/spring-boot/releases/tag/v2.6.6
github.com/spring-projects/spring-framework
github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE
github.com/spring-projects/spring-framework/releases/tag/v5.3.18
nvd.nist.gov/vuln/detail/CVE-2022-22965
psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
tanzu.vmware.com/security/cve-2022-22965
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
www.kb.cert.org/vuls/id/970766
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html

Detect and mitigate CVE-2022-22965 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →