Candidate: CVE-2022-22965
PublicDate: 2022-04-01 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
 https://bugalert.org/content/notices/2022-03-30-spring.html
 https://tanzu.vmware.com/security/cve-2022-22965
 https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
 https://github.com/spring-projects/spring-framework/issues/28260
Description:
 A Spring MVC or Spring WebFlux application running on JDK 9+ may be
 vulnerable to remote code execution (RCE) via data binding. The specific
 exploit requires the application to run on Tomcat as a WAR deployment. If
 the application is deployed as a Spring Boot executable jar, i.e. the
 default, it is not vulnerable to the exploit. However, the nature of the
 vulnerability is more general, and there may be other ways to exploit it.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: high
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libspring-java:
 upstream: https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
upstream_libspring-java: needs-triage
trusty/esm_libspring-java: needs-triage
trusty_libspring-java: ignored (out of standard support)
xenial_libspring-java: ignored (out of standard support)
bionic_libspring-java: needs-triage
focal_libspring-java: needs-triage
impish_libspring-java: needs-triage
jammy_libspring-java: needs-triage
devel_libspring-java: needs-triage