TopVuln

High-risk vulnerability digests

CVE-2022-22965

  • CRITICAL
  • KEV

Spring Framework JDK 9+ Remote Code Execution Vulnerability

Details

CVSS v3
9.8
CVSS v2
7.5
NVD published
2022-04-01 23:15:13
CISA date
2022-04-04
EPSS
94.4% probability · 100.0th percentile — 2026-04-08
Affected versions
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:* cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:* cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:* cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:* cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:* cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:* cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:* cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:* cpe:2.3:a:veritas:flex_appliance:1.3:*:*:*:*:*:*:* cpe:2.3:a:veritas:flex_appliance:2.0:*:*:*:*:*:*:*
Summary
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Remediation
Apply updates per vendor instructions.
Exploit info
No exploit-tagged NVD references in our cache; see the CISA KEV link below.

View on NVD  ·  CISA KEV catalog

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.