Just yesterday Spring officially announced a Spring Framework RCE vulnerability CVE-2022-22965. Upgrading to Spring Framework 5.3.18+ or 5.2.20+ remains the main official Spring recommendation, which officially claims to address the root cause and prevent some other vulnerability attacks, and these also provide fixes for other CVEs. Although the vulnerability is not in Tomcat itself, the Apache Tomcat team has also released versions 10.0.20, 9.0.62 and 8.5.78 with it, which are the official Tomcat solutions for the reported CVE-2022-22965 vulnerability, which has been addressed in the above versions, for older The above version has resolved the CVE-2022-22965 vulnerability, and for older, unsupported versions of Spring Framework, the vulnerability can be circumvented by upgrading the Tomcat version.
Updates: [15:40 BST] Spring Boot 2.6.6 is available. [14:38 BST] Spring Boot 2.5.12 is available. [14:00 BST] CVE-2022-22965 is published. [13:03 BST] Added section “Misconceptions”. [12:34 BST] Added section “Am I Impacted”. [12:11 BST] Fix minor issue in the workaround for adding disallowedFields . [11:59 BST] Spring Framework versions 5.3.18 and 5.2.20 , which address the vulnerability, are now available. The release process for Spring Boot is in progress. Overview I would like to announce an RCE vulnerability in the Spring Framework that was leaked out ahead of CVE publication.