Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

Thu, 07 Apr 2022 09:28:22 -0700 

Thank you for your advice and help :)

Am 05.04.2022 um 21:54 schrieb Andrea Del Bene:
Also it is worth mentioning that we have an upcoming version (9.9.1) that has Spring core dependency updated to 5.3.18 

On 05/04/22 21:47, Martin Grigorov wrote:

On Tue, Apr 5, 2022, 13:18 kyrindorx <kyrind...@gmail.com> wrote:


Hi,

Thank you for the first answer of this issue. I have also a question

about https://github.com/MarcGiffing/wicket-spring-boot and a 
upgrade of

spring-beans or spring in general. Do you have good idea upgrade spring
to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot?
I'll thankful for any hints :)


Just update/overwrite the Spring version in your pom.xml and all 
should be

fine!



Background:

https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751


Greets
Daniel


Am 01.04.2022 um 20:17 schrieb Martin Grigorov:

Hi,


I don't think a normal Wicket application is vulnerable to this 
attack.

But I recommend you to update Spring in your applications anyway.

On Fri, Apr 1, 2022, 10:21 kyrindorx<kyrind...@gmail.com>  wrote:


Hello everyone,

The internet developer community found a bug in

spring-beans/spring-webmvc on 03/30/2022. I would like to know to 
what
extent Wicket could be affected for this exploit? I think it 
should be a
specific behavior with Spring and the servlet engine (Tomcat was 
used in

the exploit), but Wicket is also a servlet-driven web framework.


The exploit used a code injection block with "<% bad java 
code/cmds %>"
and a beanintrospeaction via a rest service call. What is the 
opinion of

the Wicket core team on this issue?

Thanks in advance
Daniel


Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
(informed by github)
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org























					Reply via email to