CVE-2010-1622 — Improper Control of Generation of Code ('Code Injection') in Spring Framework

Description

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted .jar file.

How to fix CVE-2010-1622

To remediate CVE-2010-1622, upgrade the affected package to a fixed version below.

Maven/org.springframework:spring—upgrade to 2.5.7 or later

Is CVE-2010-1622 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.5.0, < 2.5.7

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-1622
PATCHgithub.com/spring-projects/spring-framework
WEBgeronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
WEBgeronimo.apache.org/21x-security-report.html
WEB