CVE-2010-1622

EPSS 52.0%

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Affected products

n/a · n/a

public PoCs found — 6

githubgithub.com/DDuarte/springshell-rce-poc★ 19 githubgithub.com/E-bounce/cve-2010-1622_learning_environment★ 2 githubgithub.com/strainerart/Spring4Shell★ 0 githubgithub.com/HandsomeCat00/Spring-CVE-2010-1622★ 0 cve_referencewww.exploit-db.com/exploits/13918unverified exploitdbwww.exploit-db.com/exploits/13918unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html http://geronimo.apache.org/21x-security-report.html http://geronimo.apache.org/22x-security-report.html http://secunia.com/advisories/41016 http://secunia.com/advisories/41025 http://secunia.com/advisories/43087 http://www.exploit-db.com/exploits/13918 http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://www.redhat.com/support/errata/RHSA-2011-0175.html http://www.securityfocus.com/archive/1/511877 http://www.securityfocus.com/bid/40954 http://www.securitytracker.com/id/1033898