module
Spring Framework Class property RCE (Spring4Shell)
| Disclosed | Created |
|---|---|
| Mar 31, 2022 | May 10, 2022 |
Disclosed
Mar 31, 2022
Created
May 10, 2022
Description
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above
and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable
to remote code execution due to an unsafe data binding used to populate an object from request parameters
to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the
org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can
gain remote code execution.
and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable
to remote code execution due to an unsafe data binding used to populate an object from request parameters
to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the
org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can
gain remote code execution.
Author
vleminator vleminator@gmail.com
Platform
Linux,Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.