April 7, 2022

Spring framework has been affected by a new 0-day vulnerability, this vulnerability is in the Java-based Core module of the Spring Framework.

This vulnerability has been confirmed by the Rapid7 research team and also by the spring.io framework developers themselves. The confirmation came after a Chinese-speaking developer published exploit code that allowed unauthenticated users to obtain remote code execution (RCE) on a spring framework target.

Although the exploit code was removed, the probability of it being sold on the deep web is high, making systems that have not yet been patched vulnerable.

The flaw affects Spring MVC and Spring WebFlux applications running on JDK higher than version 9.

The vulnerability does not yet have a CVE, however, Spring has already released the security patch for versions 5.3.18 and 5.2.20 of the Spring Framework through Maven Central.

Spring is a very popular framework and is present in numerous web projects and the fact that this vulnerability does not require such a high technical level for its exploitation makes it very dangerous, so it is recommended to patch it as soon as possible.

For more information on this and other topics
you can send us a message

contact us