Summary #

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability mainly affecting Spring MVC or Spring WebFlux applications on JDK 9+.

Impact #

The vulnerability allows attackers to execute arbitrary Java code on the target system. The attacker may also be able to execute arbitrary system commands.

Exploit of the vulnerability is known widely and should be addressed as soon as possible.

Remediation #

Affected applications should update to the latest available version of Spring. If you are using version 3.5.X you should update to version 3.5.18 or higher. Affected users with Spring 5.2.X should at least update their installations to 5.2.20 or above. If no immediate update to the higher version is possible, you can also use the workaround provided in the official spring announcement until the update can be rolled out.

Classifications #
PCI v3.2-6.5.1; CAPEC-242; CWE-94; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; OWASP 2017-A1 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo