CVE-2010-1622

Name of the Vulnerable Software and Affected Versions Spring Framework versions 2.5.x through 2.5.5, 2.5.7 before 2.5.7.SR01, and 3.0.x through 3.0.2

Description The issue is related to incorrect code generation management in the Spring Framework, allowing remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. This can be exploited by a remote attacker using a specially crafted .jar file.

Recommendations For versions 2.5.x through 2.5.5, update to version 2.5.6.SEC02 or later. For version 2.5.7, update to version 2.5.7.SR01 or later. For versions 3.0.x through 3.0.2, update to version 3.0.3 or later. As a temporary workaround, consider restricting access to the class.classLoader.URLs[0] parameter in HTTP requests to minimize the risk of exploitation.