TopVuln

High-risk vulnerability digests

CVE-2022-22963

  • CRITICAL
  • KEV

VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability

Details

CVSS v3
9.8
CVSS v2
7.5
NVD published
2022-04-01 23:15:13
CISA date
2022-08-25
EPSS
94.5% probability · 100.0th percentile — 2026-04-08
Affected versions
cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
Summary
When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Remediation
Apply updates per vendor instructions.
Exploit info
No exploit-tagged NVD references in our cache; see the CISA KEV link below.

View on NVD  ·  CISA KEV catalog

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.