Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-1622Code Injection in Spring Framework

CWE-94Code InjectionCWE-96Static Code Injection8 documents8 sources
Severity
6.0MEDIUMNVD
EPSS
1.9%
top 16.93%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Oracle Fusion MiddlewareSpringsource Spring FrameworkPaloalto Pan-os
Timeline
PublishedJun 21
Latest updateSep 4

Description

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages3 packages

NVDspringsource/spring_framework11 versions+10
Palo Altopaloalto/pan-os
NVDoracle/fusion_middleware11.1.1.6.1, 11.1.1.8.0, 7.6.2+2

🔴Vulnerability Details

3
OSV
Improper Control of Generation of Code ('Code Injection') in Spring Framework2022-05-17
GHSA
Improper Control of Generation of Code ('Code Injection') in Spring Framework2022-05-17
CVEList
CVE-2010-1622: SpringSource Spring Framework 22010-06-21

💥Exploits & PoCs

1
Exploit-DB
Spring Framework - Arbitrary code Execution2010-06-18

📋Vendor Advisories

2
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-09-04
Red Hat
3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file2010-06-17

💬Community

1
Bugzilla
CVE-2010-1622 SpringSource Spring Framework (x < 2.5.6.SEC02, 2.5.7.SR01, 3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file2010-06-22
CVE-2010-1622 — Code Injection in Spring Framework | cvebase