Open doctore74 opened 2 years ago
No.. I think it's relatively easy to spot vulnerable spring apps since operator can see any tomcat instances. I reviewed some real exploit payload in the wild and concluded it's easy to detect and block using WAF. If there are many demands for spring scanner, I will reconsider about spring scanner.. (but spring scanner should be another repo in that case)
I see. Thanks for the quick answer.
Hi @xeraph ! I would Love to see a spring scanner i think it could be very helpful!
hi, +1 :) since you are already extracting all jar and war files it would be really cool to have searched for both issues, for now I use https://github.com/hillu/local-spring-vuln-scanner and run both commands periodically
I would love to see a CVE-2022-22965 scanner !
@xeraph An integration would be best practise. We would not need a second run over the same files.
@xeraph An integration would be best practise. We would not need a second run over the same files.
I would like another tool. Possibly its different servers then before. So two tools would be great.
Hi, I also would love to see Spring scanning, it will be great :)
I will add my name to the list for a scanner. Thanks.
Hi,
do you have any plans to integrate the detection for Spring4Shell (CVE-2022-22965)?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/