CVE-2022-22963

KEV
Published: Apr 01, 2022 Last Modified: Ott 30, 2025
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
HIGH 7,5
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,9446
Percentile
1,0th
Updated

EPSS Score Trend (Last 90 Days)

94

Improper Control of Generation of Code ('Code Injection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Non-Repudiation
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities
Applicable Platforms
Languages: Interpreted
Technologies: AI/ML
Likelihood of Exploit: Medium
View CWE Details
917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands
Applicable Platforms
Languages: Java
View CWE Details
Exploit

Spring Cloud 3.2.2 - Remote Command Execution (RCE)

Spring Cloud 3.2.2 - Remote Command Execution (RCE)

Author: GatoGamer1155 Published:
View Exploit Code →
Application

Communications Cloud Native Core Policy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Policy
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Function Cloud Native Environment
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Product Lifecycle Analytics by Oracle

Product Information
Vendor Oracle
Product Product Lifecycle Analytics
Version 3.6.1.0
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Behavior Detection Platform by Oracle

Product Information
Vendor Oracle
Product Financial Services Behavior Detection Platform
Version 8.1.1.1
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Sd-Wan Edge by Oracle

Product Information
Vendor Oracle
Product Sd-Wan Edge
Version 9.1
cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Enterprise Case Management by Oracle

Product Information
Vendor Oracle
Product Financial Services Enterprise Case Management
Version 8.1.2.0
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Analytical Applications Infrastructure by Oracle

Product Information
Vendor Oracle
Product Financial Services Analytical Applications Infrastructure
Version 8.1.2.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Origination by Oracle

Product Information
Vendor Oracle
Product Banking Origination
Version 14.5
cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Function Cloud Native Environment
Version 22.1.2
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Credit Facilities Process Management by Oracle

Product Information
Vendor Oracle
Product Banking Credit Facilities Process Management
Version 14.5
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Automated Test Suite by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Automated Test Suite
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Slice Selection Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Slice Selection Function
Version 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Unified Data Repository by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Unified Data Repository
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Analytical Applications Infrastructure by Oracle

Product Information
Vendor Oracle
Product Financial Services Analytical Applications Infrastructure
Version 8.1.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Spring Cloud Function by Vmware

Product Information
Vendor Vmware
Product Spring Cloud Function
Version Range Affected
From 3.2.0 (inclusive)
To 3.2.2 (inclusive)
cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Enterprise Case Management by Oracle

Product Information
Vendor Oracle
Product Financial Services Enterprise Case Management
Version 8.1.1.0
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Supply Chain Finance by Oracle

Product Information
Vendor Oracle
Product Banking Supply Chain Finance
Version 14.5
cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Policy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Policy
Version 22.1.3
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Communications Policy Management by Oracle

Product Information
Vendor Oracle
Product Communications Communications Policy Management
Version 12.6.0.0.0
cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Cash Management by Oracle

Product Information
Vendor Oracle
Product Banking Cash Management
Version 14.5
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Behavior Detection Platform by Oracle

Product Information
Vendor Oracle
Product Financial Services Behavior Detection Platform
Version 8.1.2.0
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Corporate Lending Process Management by Oracle

Product Information
Vendor Oracle
Product Banking Corporate Lending Process Management
Version 14.5
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Repository Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Repository Function
Version 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Sd-Wan Edge by Oracle

Product Information
Vendor Oracle
Product Sd-Wan Edge
Version 9.0
cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 21.0.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Spring Cloud Function by Vmware

Product Information
Vendor Vmware
Product Spring Cloud Function
Version Range Affected
To 3.1.6 (inclusive)
cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Liquidity Management by Oracle

Product Information
Vendor Oracle
Product Banking Liquidity Management
Version 14.5
cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Behavior Detection Platform by Oracle

Product Information
Vendor Oracle
Product Financial Services Behavior Detection Platform
Version 8.1.1.0
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Automated Test Suite by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Automated Test Suite
Version 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 20.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Electronic Data Exchange For Corporates by Oracle

Product Information
Vendor Oracle
Product Banking Electronic Data Exchange For Corporates
Version 14.5
cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Trade Finance Process Management by Oracle

Product Information
Vendor Oracle
Product Banking Trade Finance Process Management
Version 14.5
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Mysql Enterprise Monitor by Oracle

Product Information
Vendor Oracle
Product Mysql Enterprise Monitor
Version Range Affected
To 8.0.29 (inclusive)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Policy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Policy
Version 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Console by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Console
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Repository Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Repository Function
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Liquidity Management by Oracle

Product Information
Vendor Oracle
Product Banking Liquidity Management
Version 14.2
cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Branch by Oracle

Product Information
Vendor Oracle
Product Banking Branch
Version 14.5
cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Security Edge Protection Proxy
Version 1.7.0
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Function Cloud Native Environment
Version 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Unified Data Repository by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Unified Data Repository
Version 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Security Edge Protection Proxy
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Slice Selection Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Slice Selection Function
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Console by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Console
Version 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Exposure Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Exposure Function
Version 22.1.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Virtual Account Management by Oracle

Product Information
Vendor Oracle
Product Banking Virtual Account Management
Version 14.5
cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Financial Services Enterprise Case Management by Oracle

Product Information
Vendor Oracle
Product Financial Services Enterprise Case Management
Version 8.1.1.1
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalo…
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022…
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.…
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-E…
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-…
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
https://tanzu.vmware.com/security/cve-2022-22963
https://tanzu.vmware.com/security/cve-2022-22963
https://tools.cisco.com/security/center/content/CiscoSecuri…
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-…
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.…
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-E…
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-…
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
https://tanzu.vmware.com/security/cve-2022-22963
https://tanzu.vmware.com/security/cve-2022-22963
https://tools.cisco.com/security/center/content/CiscoSecuri…
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-…
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpujul2022.html