CVE-2010-1622 – org.springframework:spring

Package

Manager: maven
Name: org.springframework:spring
Vulnerable Version: >=2.5.0 <2.5.7 || >=3.0.0 <3.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01674 pctl0.8142

Details

Improper Control of Generation of Code ('Code Injection') in Spring Framework SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted .jar file.

Metadata

Created: 2022-05-17T03:28:34Z
Modified: 2024-03-14T21:28:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vpr3-f594-mg5g/GHSA-vpr3-f594-mg5g.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-vpr3-f594-mg5g
Finding: F422
Auto approve: 1