Description
Spring Framework is vulnerable to a ClassLoader Manipulation vulnerability that can be escalated to Remote Code Execution on systems running JDK9+. Spring MVC and Spring WebFlux web applications may be vulnerable. Applications deployed as a Spring Boot executable jar are not vulnerable to the public exploit.
Remediation
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
References
Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring
Spring Core on JDK9+ is vulnerable to remote code execution
Spring Framework RCE, Early Announcement
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Related Vulnerabilities
Drupal Core 7.x Remote Code Execution (7.0 - 7.74)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-37909)
Progress Kemp LoadMaster RCE (CVE-2024-1212)
WordPress Plugin Wp-FileManager 'ajaxfilemanager.php' Arbitrary File Upload (1.2)
Text4shell: Apache Commons Text RCE via insecure interpolation