GoogleOSV:GHSA-VPR3-F594-MG5GImproper Control of Generation of Code ('Code Injection') in Spring Framework
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
References
geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
geronimo.apache.org/21x-security-report.html
geronimo.apache.org/22x-security-report.html
www.exploit-db.com/exploits/13918
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
www.redhat.com/support/errata/RHSA-2011-0175.html
access.redhat.com/errata/RHSA-2011:0175
access.redhat.com/security/cve/CVE-2010-1622
bugzilla.redhat.com/show_bug.cgi?id=606706
github.com/spring-projects/spring-framework
github.com/spring-projects/spring-framework/commit/3a5af35d37c79d0644d49b93f792a4c18fe8eb71
nvd.nist.gov/vuln/detail/CVE-2010-1622
seclists.org/fulldisclosure/2010/Jun/456
web.archive.org/web/20100623011648/www.springsource.com/security/cve-2010-1622
web.archive.org/web/20161014113129/www.securitytracker.com/id/1033898
web.archive.org/web/20200227210033/www.securityfocus.com/archive/1/511877
web.archive.org/web/20200228060816/www.securityfocus.com/bid/40954
Related
