CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

yang991178 / fluent-reader

Modern desktop RSS reader built with Electron, React, and Fluent UI

https://hyliu.me/fluent-reader/

BSD 3-Clause "New" or "Revised" License

7.8k stars 425 forks source link

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ #424

Closed t3dium closed 2 years ago

t3dium commented 2 years ago

A new windows defender definition breaks fluent-reader as it's vulnerable to remote code execution. ClamAV also picks this up.

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html https://tanzu.vmware.com/security/cve-2022-22965

As a result on second load, the app isn't functional due to having files quarantined:

Suggested solutions: Updating the spring framework, https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

yang991178 commented 2 years ago

This looks strange, as no component of the spring framework is contained in this app. It seems that the quarantined files are just data files for the indexedDB database used for storing subscriptions and articles.

t3dium commented 1 year ago

defender is still quarantining this to this day, it seems to do so every once a while breaking the app until the user manually restores what it considers a "threat".