killchain-compendium/exploit/java/spring4shell.md

436 B

CVE-2022-22965

  • Mitre CVE details

  • Follow up to CVE-2010-1622 by circumventing the patch for the vulnerability

  • RCE of *.jsp files through tomcat HTTP post request

  • Conditions

    • jdk9

    • Spring framework < 5.2, 5.2.0-19, 5.3.0-17
    • Apache tomcat
    • spring as WAR package
    • spring-webvmc or spring-webflux components of the spring framework