Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)

critical Nessus Plugin ID 159374


The remote host contains a web application framework library that is affected by a remote code execution vulnerability.


The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:

- A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

- These are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency

Note that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled as well.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.

See Also




Plugin Details

Severity: Critical

ID: 159374

File Name: spring_CVE-2022-22965_local.nasl

Version: 1.10

Type: combined

Agent: windows, macosx, unix

Family: Misc.

Published: 3/31/2022

Updated: 1/18/2023

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information


Risk Factor: Critical

Score: 9.8


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-22965


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pivotal_software:spring_framework, cpe:/a:vmware:spring_framework

Required KB Items: Settings/ParanoidReport, installed_sw/Apache Tomcat, installed_sw/Java, installed_sw/Spring Framework

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/31/2022

Vulnerability Publication Date: 3/31/2022

CISA Known Exploited Vulnerability Due Dates: 4/25/2022

Exploitable With

Core Impact

Metasploit (Spring Framework Class property RCE (Spring4Shell))

Reference Information

CVE: CVE-2022-22965