CVE-2022-22965— Spring Framework 代码注入漏洞
公开利用映射 2
Metasploit · 1 spring_framework_rce_spring4shell.rb [exploit]
Nuclei · 1 CVE-2022-22965.yaml [template]
已观察到在野利用 cisa_kev · confirmed
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2022-22965 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
对生成代码的控制不恰当(代码注入)
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Spring Framework 代码注入漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
| 厂商 | 产品 | 影响版本 | CPE | 订阅 |
|---|---|---|---|---|
| - | Spring Framework | Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions | - |
二、漏洞 CVE-2022-22965 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965 | https://github.com/BobTheShoplifter/Spring4Shell-POC | POC详情 |
| 2 | CVE-2022-22965 : about spring core rce | https://github.com/Mr-xn/spring-core-rce | POC详情 |
| 3 | Spring4Shell - Spring Core RCE - CVE-2022-22965 | https://github.com/TheGejr/SpringShell | POC详情 |
| 4 | Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit | https://github.com/reznok/Spring4Shell-POC | POC详情 |
| 5 | spring-core单个图形化利用工具,CVE-2022-22965及修复方案已出 | https://github.com/light-Life/CVE-2022-22965-GUItools | POC详情 |
| 6 | CVE-2022-22965 - CVE-2010-1622 redux | https://github.com/DDuarte/springshell-rce-poc | POC详情 |
| 7 | spring框架RCE漏洞 CVE-2022-22965 | https://github.com/k3rwin/spring-core-rce | POC详情 |
| 8 | springFramework_CVE-2022-22965_RCE简单利用 | https://github.com/liangyueliangyue/spring-core-rce | POC详情 |
| 9 | None | https://github.com/Kirill89/CVE-2022-22965-PoC | POC详情 |
| 10 | Exploit a vulnerable Spring application with the Spring4Shell (CVE-2022-22965) Vulnerability. | https://github.com/FourCoreLabs/spring4shell-exploit-poc | POC详情 |
| 11 | Spring Framework RCE (Quick pentest notes) | https://github.com/alt3kx/CVE-2022-22965_PoC | POC详情 |
| 12 | Vulnerabilidad RCE en Spring Framework vía Data Binding on JDK 9+ (CVE-2022-22965 aka "Spring4Shell") | https://github.com/GuayoyoCyber/CVE-2022-22965 | POC详情 |
| 13 | A Safer PoC for CVE-2022-22965 (Spring4Shell) | https://github.com/colincowie/Safer_PoC_CVE-2022-22965 | POC详情 |
| 14 | None | https://github.com/rwincey/spring4shell-CVE-2022-22965 | POC详情 |
| 15 | CVE-2022-22965 poc including reverse-shell support | https://github.com/viniciuspereiras/CVE-2022-22965-poc | POC详情 |
| 16 | Created after the release of CVE-2022-22965 and CVE-2022-22963. Bash script that detects Spring Framework occurrences in your projects and systems, allowing you to get insight on versions used. Unpacks JARs and analyzes their Manifest files. | https://github.com/mebibite/springhound | POC详情 |
| 17 | CVE-2022-22965 EXP | https://github.com/likewhite/CVE-2022-22965 | POC详情 |
| 18 | SpringFramework 远程代码执行漏洞CVE-2022-22965 | https://github.com/Axx8/SpringFramework_CVE-2022-22965_RCE | POC详情 |
| 19 | Showcase of overridding the Spring Framework version in older Spring Boot versions | https://github.com/snicoll-scratches/spring-boot-cve-2022-22965 | POC详情 |
| 20 | Spring-0day/CVE-2022-22965 | https://github.com/nu0l/CVE-2022-22965 | POC详情 |
| 21 | 批量无损检测CVE-2022-22965 | https://github.com/tangxiaofeng7/CVE-2022-22965-Spring-Core-Rce | POC详情 |
| 22 | CVE-2022-22965 spring-core批量检测脚本 | https://github.com/whoami0622/CVE-2022-22965-POC | POC详情 |
| 23 | None | https://github.com/helsecert/CVE-2022-22965 | POC详情 |
| 24 | None | https://github.com/lcarea/CVE-2022-22965 | POC详情 |
| 25 | CVE-2022-22965 Environment | https://github.com/Joe1sn/CVE-2022-22965 | POC详情 |
| 26 | Spring4Shell (CVE-2022-22965) | https://github.com/zer0yu/CVE-2022-22965 | POC详情 |
| 27 | Spring Framework RCE via Data Binding on JDK 9+ / spring4shell / CVE-2022-22965 | https://github.com/me2nuk/CVE-2022-22965 | POC详情 |
| 28 | CVE-2022-22965 | https://github.com/wshon/spring-framework-rce | POC详情 |
| 29 | CVE-2022-22965 POC | https://github.com/Wrin9/CVE-2022-22965 | POC详情 |
| 30 | CVE-2022-22965\Spring-Core-RCE堪比关于 Apache Log4j2核弹级别漏洞exp的rce一键利用 | https://github.com/wjl110/CVE-2022-22965_Spring_Core_RCE | POC详情 |
| 31 | None | https://github.com/mwojterski/cve-2022-22965 | POC详情 |
| 32 | Nmap Spring4Shell NSE script for Spring Boot RCE (CVE-2022-22965) | https://github.com/gpiechnik2/nmap-spring4shell | POC详情 |
| 33 | Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5 | https://github.com/itsecurityco/CVE-2022-22965 | POC详情 |
| 34 | PowerShell port of CVE-2022-22965 vulnerability check by colincowie. | https://github.com/daniel0x00/Invoke-CVE-2022-22965-SafeCheck | POC详情 |
| 35 | Intentionally vulnerable Spring app to test CVE-2022-22965 | https://github.com/fracturelabs/spring4shell_victim | POC详情 |
| 36 | CVE-2022-22965 (Spring4Shell) Proof of Concept | https://github.com/sunnyvale-it/CVE-2022-22965-PoC | POC详情 |
| 37 | Spring4Shell - CVE-2022-22965 | https://github.com/twseptian/cve-2022-22965 | POC详情 |
| 38 | Another spring4shell (Spring core RCE) POC | https://github.com/netcode/Spring4shell-CVE-2022-22965-POC | POC详情 |
| 39 | Vulnerability scanner for Spring4Shell (CVE-2022-22965) | https://github.com/fracturelabs/go-scan-spring | POC详情 |
| 40 | Spring has Confirmed the RCE in Spring Framework. The team has just published the statement along with the mitigation guides for the issue. Now, this vulnerability can be tracked as CVE-2022-22965. | https://github.com/Snip3R69/spring-shell-vuln | POC详情 |
| 41 | Spring4Shell is a critical RCE vulnerability in the Java Spring Framework and is one of three related vulnerabilities published on March 30 | https://github.com/0xr1l3s/CVE-2022-22965 | POC详情 |
| 42 | Spring Framework RCE Exploit | https://github.com/luoqianlin/CVE-2022-22965 | POC详情 |
| 43 | Exploit Of Spring4Shell! | https://github.com/0xrobiul/CVE-2022-22965 | POC详情 |
| 44 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. | https://github.com/LudovicPatho/CVE-2022-22965_Spring4Shell | POC详情 |
| 45 | None | https://github.com/irgoncalves/irule-cve-2022-22965 | POC详情 |
| 46 | The demo code showing the recent Spring4Shell RCE (CVE-2022-22965) | https://github.com/datawiza-inc/spring-rec-demo | POC详情 |
| 47 | Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive) | https://github.com/alt3kx/CVE-2022-22965 | POC详情 |
| 48 | CVE-2022-22965 pocsuite3 POC | https://github.com/wikiZ/springboot_CVE-2022-22965 | POC详情 |
| 49 | CVE-2022-22965写入冰蝎webshell脚本 | https://github.com/4nth0ny1130/spring4shell_behinder | POC详情 |
| 50 | Spring4Shell PoC (CVE-2022-22965) | https://github.com/t3amj3ff/Spring4ShellPoC | POC详情 |
| 51 | None | https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara | POC详情 |
| 52 | None | https://github.com/fransvanbuul/CVE-2022-22965-susceptibility | POC详情 |
| 53 | Script to check for Spring4Shell vulnerability | https://github.com/jrgdiaz/Spring4Shell-CVE-2022-22965.py | POC详情 |
| 54 | Spring4Shell , Spring Framework RCE (CVE-2022-22965) , Burpsuite Plugin | https://github.com/Loneyers/Spring4Shell | POC详情 |
| 55 | spring4shell | CVE-2022-22965 | https://github.com/p1ckzi/CVE-2022-22965 | POC详情 |
| 56 | exploitation script tryhackme | https://github.com/Omaraitbenhaddi/-Spring4Shell-CVE-2022-22965- | POC详情 |
| 57 | None | https://github.com/c4mx/CVE-2022-22965_PoC | POC详情 |
| 58 | None | https://github.com/mariomamo/CVE-2022-22965 | POC详情 |
| 59 | None | https://github.com/khidottrivi/CVE-2022-22965 | POC详情 |
| 60 | None | https://github.com/Enokiy/spring-RCE-CVE-2022-22965 | POC详情 |
| 61 | CVE-2022-22965 Spring4Shell research & PoC | https://github.com/cxzero/CVE-2022-22965-spring4shell | POC详情 |
| 62 | burpsuite 的Spring漏洞扫描插件。SpringVulScan:支持检测:路由泄露|CVE-2022-22965|CVE-2022-22963|CVE-2022-22947|CVE-2016-4977 | https://github.com/tpt11fb/SpringVulScan | POC详情 |
| 63 | EXP for Spring4Shell(CVE-2022-22965) | https://github.com/D1mang/Spring4Shell-CVE-2022-22965 | POC详情 |
| 64 | CVE-2022-22965图形化检测工具 | https://github.com/iloveflag/Fast-CVE-2022-22965 | POC详情 |
| 65 | None | https://github.com/ClemExp/CVE-2022-22965-PoC | POC详情 |
| 66 | CVE-2022-22965 proof of concept | https://github.com/clemoregan/SSE4-CVE-2022-22965 | POC详情 |
| 67 | None | https://github.com/devengpk/CVE-2022-22965 | POC详情 |
| 68 | CVE-2022-22965\Spring-Core-RCE核弹级别漏洞的rce图形化GUI一键利用工具,基于JavaFx开发,图形化操作更简单,提高效率。 | https://github.com/zangcc/CVE-2022-22965-rexbb | POC详情 |
| 69 | User friendly Spring4Shell POC | https://github.com/ajith737/Spring4Shell-CVE-2022-22965-POC | POC详情 |
| 70 | 🚀 Exploit for Spring core RCE in C [ wip ] | https://github.com/c33dd/CVE-2022-22965 | POC详情 |
| 71 | Demonstrable Proof of Concept Exploit for Spring4Shell Vulnerability (CVE-2022-22965) | https://github.com/gokul-ramesh/Spring4Shell-PoC-exploit | POC详情 |
| 72 | A simple python script for a firewall rule that blocks incoming requests based on the Spring4Shell (CVE-2022-22965) vulnerability | https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience- | POC详情 |
| 73 | Poc&Exp,支持批量扫描,反弹shell | https://github.com/BKLockly/CVE-2022-22965 | POC详情 |
| 74 | Spring rce environment for CVE-2022-22965 | https://github.com/dbgee/Spring4Shell | POC详情 |
| 75 | PoC and exploit for CVE-2022-22965 Spring4Shell | https://github.com/jakabakos/CVE-2022-22965-Spring4Shell | POC详情 |
| 76 | A quick python script that automates the exploitation of the second deadliest Java based vulnerability CVE-2022-22965. | https://github.com/h4ck0rman/Spring4Shell-PoC | POC详情 |
| 77 | None | https://github.com/sohamsharma966/Spring4Shell-CVE-2022-22965 | POC详情 |
| 78 | Spring4Shell Vulnerability RCE - CVE-2022-22965 | https://github.com/LucasPDiniz/CVE-2022-22965 | POC详情 |
| 79 | None | https://github.com/xsxtw/SpringFramework_CVE-2022-22965_RCE | POC详情 |
| 80 | Script to check for Spring4Shell vulnerability | https://github.com/te5t321/Spring4Shell-CVE-2022-22965.py | POC详情 |
| 81 | None | https://github.com/guigui237/Expoitation-de-la-vuln-rabilit-CVE-2022-22965 | POC详情 |
| 82 | POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit | https://github.com/BlackBird63030/Block-Spring4Shell | POC详情 |
| 83 | POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit | https://github.com/SkyM1raj/Block-Spring4Shell | POC详情 |
| 84 | POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit | https://github.com/Aur3ns/Block-Spring4Shell | POC详情 |
| 85 | In this challenge, I analyzed the Spring4Shell (CVE-2022-22965) vulnerability, investigated security bypasses, and wrote an Incident Postmortem Report detailing the detection, impact, and resolution of the attack. I also implemented a firewall rule in Python to block malicious requests and prevent future exploitation. | https://github.com/jashan-lefty/Spring4Shell | POC详情 |
| 86 | spring-core单个图形化利用工具,CVE-2022-22965及修复方案已出 | https://github.com/Bouquets-ai/CVE-2022-22965-GUItools | POC详情 |
| 87 | Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-22965.yaml | POC详情 |
| 88 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. | https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/cves/2022/CVE-2022-22965.yaml | POC详情 |
| 89 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Spring%20Data%20Binding%E4%B8%8EJDK%209%2B%E5%AF%BC%E8%87%B4%E7%9A%84%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-22965.md | POC详情 |
| 90 | https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22965/README.md | POC详情 | |
| 91 | Firewall rules to mitigate a zero-day vulnerability malware attack (CVE-2022-22965), known as Spring4Shell | https://github.com/ESSAFAR/Firewall-Rules | POC详情 |
| 92 | SpringFramework 远程代码执行漏洞CVE-2022-22965 | https://github.com/SecNN/SpringFramework_CVE-2022-22965_RCE | POC详情 |
| 93 | Hands-on lab on detecting and mitigating web app threats using OWASP ZAP, Burp Suite, and ModSecurity WAF (with OWASP CRS). Case study: Spring4Shell (CVE-2022-22965). Local Docker-based setup. | https://github.com/brunoh6/web-threat-mitigation | POC详情 |
| 94 | (CVE-2022-22965)PoC 应用程序和漏洞利用 | https://github.com/ZapcoMan/spring4shell-vulnerable-application | POC详情 |
| 95 | Spring4Shell (POC) | https://github.com/osungjinwoo/CVE-2022-22965 | POC详情 |
| 96 | Python-based simulated firewall to detect and block Spring4Shell (CVE-2022-22965) exploit attempts. This project filters HTTP requests by identifying malicious payload patterns using a custom firewall_server.py and tests them with test_requests.py. | https://github.com/Nosie12/fire-wall-server | POC详情 |
| 97 | 🔒 Spring4Shell Firewall Defense — Cybersecurity Incident Simulation This project is part of a Cybersecurity Job Simulation I completed in August 2025 through Forage. It focuses on detecting, analyzing, and mitigating a simulated real-world cyberattack involving the Spring4Shell (CVE-2022-22965) vulnerability | https://github.com/salo-404/firewall | POC详情 |
| 98 | None | https://github.com/shoucheng3/spring-projects__spring-framework_CVE-2022-22965_5-2-19-RELEASE | POC详情 |
| 99 | Cybersecurity simulation showcasing SOC analyst skills in malware triage, incident response, and vulnerability management (Spring4Shell CVE-2022-22965). | https://github.com/Toph404/telstra-cyber-analyst-job-simulation | POC详情 |
| 100 | Proof-of-Concept (POC) of a simple firewall in Python designed to mitigate the Spring4Shell (CVE-2022-22965) RCE attack by inspecting and blocking malicious request bodies. | https://github.com/NickoPS87/Spring4Shell-Python-Firewall-POC | POC详情 |
| 101 | CVE-2022-22965 proof of concept for CS4239 report | https://github.com/xenosf/CS4239-Spring4Shell-POC | POC详情 |
| 102 | Fully automated Spring4Shell (CVE-2022-22965) + GitLab RCE framework | https://github.com/mylo-2001/GhostStrike | POC详情 |
| 103 | A Remote Code Execution exploit targeting Spring Framework vulnerability CVE-2022-22965 💀 | https://github.com/Hghost0x00/CVE-2022-22965 | POC详情 |
| 104 | None | https://github.com/dbwlsdnr95/CVE-2022-22965-spring4shell | POC详情 |
| 105 | None | https://github.com/nhattanhh/CVE-2022-22965 | POC详情 |
| 106 | CVE-2022-22965 - Spring4Shell | https://github.com/Anon2Fear/CVE-2022-22965 | POC详情 |
| 107 | A comprehensive Security Operations Centre (SOC) incident response simulation demonstrating threat detection, triage, analysis, and mitigation of the Spring4Shell vulnerability (CVE-2022-22965). | https://github.com/Shakur1314/CVE-2022-22965-Spring4Shell-Security-Operations-Analysis | POC详情 |
| 108 | None | https://github.com/dbwlsdnr95/CVE-2022-22965 | POC详情 |
| 109 | Spring4Shell (CVE-2022-22965) DFIR lab with exploit simulation, Python WAF, IOC-based detection, and PCAP analysis. | https://github.com/suyash-R-K/dfir-malware-investigation | POC详情 |
| 110 | None | https://github.com/aditidutta696-dev/Spring4Shell-CVE-2022-22965-Exploitation-Attempt | POC详情 |
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2022-22965 的情报信息
请登录查看更多情报信息。
CVE-2022-22965 厂商安全公告 (4)
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdfx_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpujul2022.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpuapr2022.htmlx_refsource_MISC
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67vendor-advisoryx_refsource_CISCO
CVE-2022-22965 公开利用代码 (1)
CVE-2022-22965 其他参考 (2)
- https://tanzu.vmware.com/security/cve-2022-22965x_refsource_MISC
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005x_refsource_CONFIRM
同批安全公告 · n/a · 2022-04-01 · 共 32 条
| CVE-2022-25017 | 9.1 CRITICAL | Hitron Technologies CHITA Router Firmware 操作系统命令注入漏洞 |
| CVE-2022-21235 | 8.1 HIGH | Masterminds VCS 参数注入漏洞 |
| CVE-2022-24440 | 8.1 HIGH | cocoapods-downloader 参数注入漏洞 |
| CVE-2022-21223 | 8.1 HIGH | cocoapods-downloader 参数注入漏洞 |
| CVE-2022-24066 | 8.1 HIGH | simple-git-hooks 参数注入漏洞 |
| CVE-2022-22950 | Vmware Spring Framework 安全漏洞 | |
| CVE-2021-20238 | Red Hat OpenShift Container Platform 访问控制错误漏洞 | |
| CVE-2021-32503 | SICK FieldEcho 资源管理错误漏洞 | |
| CVE-2021-3461 | Red Hat Keycloak代码问题漏洞 | |
| CVE-2021-20295 | Red Hat Enterprise Linux 缓冲区错误漏洞 | |
| CVE-2021-27223 | Kaspersky Anti-Virus安全漏洞 | |
| CVE-2022-27534 | Kaspersky Anti-Virus 安全漏洞 | |
| CVE-2022-25155 | Mitsubishi Electric MELSEC iQ-F series 授权问题漏洞 | |
| CVE-2022-25156 | Mitsubishi Electric MELSEC iQ-F series 加密问题漏洞 | |
| CVE-2022-25157 | Mitsubishi Electric MELSEC iQ-F series 授权问题漏洞 | |
| CVE-2022-25159 | Mitsubishi Electric MELSEC iQ-F series 安全漏洞 | |
| CVE-2022-25158 | Mitsubishi Electric MELSEC iQ-F series 安全漏洞 | |
| CVE-2022-25160 | Mitsubishi Electric Factory Automation 安全漏洞 | |
| CVE-2021-3847 | Linux kernel 安全漏洞 | |
| CVE-2019-14839 | Business-central 信息泄露漏洞 |
显示前 20 条,共 32 条。 查看全部 → →
IV. Related Vulnerabilities
V. Comments for CVE-2022-22965
暂无评论