CVE-2022-22963

Name of the Vulnerable Software and Affected Versions Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions

Description The issue is related to a remote code execution vulnerability in Spring Cloud Function when using routing functionality. It is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. The vulnerability is exploited by providing a specially crafted SpEL expression, such as T(java.lang.Runtime).getRuntime().exec("xcalc"), in the spring.cloud.function.routing-expression parameter. This allows an attacker to execute arbitrary code on the affected system.

Recommendations For Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, consider disabling the routing functionality or restricting access to the spring.cloud.function.routing-expression parameter until a patch is available. As a temporary workaround, avoid using the spring.cloud.function.routing-expression parameter with untrusted input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.