Article - CS379670
Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965) reported for Jasperreports bundled in Windchill PDMLink
Modified: 08-Nov-2022
Applies To
- Windchill PDMLink 12.0 to 12.1
Description
- The following Spring Framework RCE via Data Binding on JDK 9+ vulnerability is reported for Jasperreports library
- CVE-2022-22965
- CVSS Score: 9.8
- Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- Mitigation: SPR reported to update to latest available non-vulnerable version.
- Applicability: Under analysis
- CVE-2022-22965
This is a printer-friendly version of Article 379670 and may be out of date. For the latest version click CS379670