Spring Framework Spring4Shell (CVE-2022-22965)

critical Nessus Plugin ID 159542


The remote host contains a web application framework library that is affected by a remote code execution vulnerability.


The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:
- A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- These are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency


Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.

See Also



Plugin Details

Severity: Critical

ID: 159542

File Name: spring4shell.nbin

Version: 1.28

Type: remote

Family: CGI abuses

Published: 4/6/2022

Updated: 7/17/2023

Risk Information


Risk Factor: Critical

Score: 9.8


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-22965


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pivotal_software:spring_framework, cpe:/a:vmware:spring_framework

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/31/2022

Vulnerability Publication Date: 3/31/2022

CISA Known Exploited Vulnerability Due Dates: 4/25/2022

Exploitable With

Core Impact

Metasploit (Spring Framework Class property RCE (Spring4Shell))

Reference Information

CVE: CVE-2022-22965