CVE-2010-1622
EPSS 1.6%Improper Control of Generation of Code ('Code Injection') in Spring Framework
Published: 5/17/2022Modified: 12/3/2024
Also known as:GHSA-vpr3-f594-mg5g
Description
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted .jar file.
Affected packages (1)
- Maven/org.springframework:spring>= 2.5.0, < 2.5.7
References (17)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2010-1622
- PATCHhttps://github.com/spring-projects/spring-framework
- WEBhttp://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
- WEBhttp://geronimo.apache.org/21x-security-report.html
- WEBhttp://geronimo.apache.org/22x-security-report.html
- WEBhttps://access.redhat.com/errata/RHSA-2011:0175
- WEBhttps://access.redhat.com/security/cve/CVE-2010-1622
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=606706
- WEBhttps://github.com/spring-projects/spring-framework/commit/3a5af35d37c79d0644d49b93f792a4c18fe8eb71
- WEBhttps://seclists.org/fulldisclosure/2010/Jun/456
- WEBhttps://web.archive.org/web/20100623011648/http://www.springsource.com/security/cve-2010-1622
- WEBhttps://web.archive.org/web/20161014113129/http://www.securitytracker.com/id/1033898
- WEBhttps://web.archive.org/web/20200227210033/http://www.securityfocus.com/archive/1/511877
- WEBhttps://web.archive.org/web/20200228060816/http://www.securityfocus.com/bid/40954
- WEBhttp://www.exploit-db.com/exploits/13918
- WEBhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- WEBhttp://www.redhat.com/support/errata/RHSA-2011-0175.html