{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42825?format=json","vulnerability_id":"VCID-ps9c-wcgx-9kfs","summary":"Remote Code Execution\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.","aliases":[{"alias":"CVE-2022-22963"},{"alias":"GHSA-6v73-fgf6-w5j7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61254?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/61253?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/61232?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/61233?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.3"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/512093?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-context@3.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61230?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/565754?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/565755?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/565756?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/565757?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/565758?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.5"},{"url":"http://public2.vulnerablecode.io/api/packages/565759?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/61231?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/565760?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/565761?format=json","purl":"pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-function-core@3.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/133132?format=json","purl":"pkg:rpm/redhat/openshift-serverless-clients@1.0.1-2?arch=el8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ps9c-wcgx-9kfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-serverless-clients@1.0.1-2%3Farch=el8"}],"references":[{"reference_url":"http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22963.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22963.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22963","reference_id":"","reference_type":"","scores":[{"value":"0.94462","scoring_system":"epss","scoring_elements":"0.99995","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22963"},{"reference_url":"https://github.com/spring-cloud/spring-cloud-function","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-cloud/spring-cloud-function"},{"reference_url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"reference_url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2070668","reference_id":"2070668","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2070668"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/51577.py","reference_id":"CVE-2022-22963","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/51577.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22963","reference_id":"CVE-2022-22963","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22963"},{"reference_url":"https://tanzu.vmware.com/security/cve-2022-22963","reference_id":"CVE-2022-22963","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:53:06Z/"}],"url":"https://tanzu.vmware.com/security/cve-2022-22963"},{"reference_url":"https://github.com/advisories/GHSA-6v73-fgf6-w5j7","reference_id":"GHSA-6v73-fgf6-w5j7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6v73-fgf6-w5j7"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1291","reference_id":"RHSA-2022:1291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1291"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1292","reference_id":"RHSA-2022:1292","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1292"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":770,"name":"Allocation of Resources Without Limits or Throttling","description":"The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor."},{"cwe_id":497,"name":"Exposure of Sensitive System Information to an Unauthorized Control Sphere","description":"The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":917,"name":"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","description":"The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed."},{"cwe_id":94,"name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."}],"exploits":[{"date_added":"2023-07-11","description":"Spring Cloud 3.2.2 - Remote Command Execution (RCE)","required_action":null,"due_date":null,"notes":null,"known_ransomware_campaign_use":false,"source_date_published":"2023-07-11","exploit_type":"webapps","platform":"java","source_date_updated":"2023-07-11","data_source":"Exploit-DB","source_url":""},{"date_added":"2022-08-25","description":"When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.","required_action":"Apply updates per vendor instructions.","due_date":"2022-09-15","notes":"https://tanzu.vmware.com/security/cve-2022-22963;  https://nvd.nist.gov/vuln/detail/CVE-2022-22963","known_ransomware_campaign_use":false,"source_date_published":null,"exploit_type":null,"platform":null,"source_date_updated":null,"data_source":"KEV","source_url":null},{"date_added":null,"description":"Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using\n          an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting\n          the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code\n          execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.","required_action":null,"due_date":null,"notes":"Stability:\n  - crash-safe\nReliability:\n  - repeatable-session\nSideEffects:\n  - ioc-in-logs\n  - artifacts-on-disk\n","known_ransomware_campaign_use":false,"source_date_published":"2022-03-29","exploit_type":null,"platform":"Linux,Unix","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/spring_cloud_function_spel_injection.rb"}],"severity_range_score":"9.0 - 10.0","exploitability":"2.0","weighted_severity":"9.0","risk_score":10.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ps9c-wcgx-9kfs"}