CVE-2022-22963 — VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
2022-08-25 • CISA Known Exploited Vulnerability
[event] When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
> AFFECTED SOFTWARE
| Field | Value |
|---|---|
| Vendor | VMware Tanzu |
| Product | Spring Cloud |
| CWE | CWE-94 |
| CVE ID | CVE-2022-22963 |
| Date Added | 2022-08-25 |
| Due Date | 2022-09-15 |
| Ransomware Campaign | Unknown |
> MITIGATION
Apply updates per vendor instructions.
Due Date: 2022-09-15