Contribution to "Remote Code Execution in Spring Framework" #176
+1
−39
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Updates
As per the Spring framework core contributor @rstoyanchev in #169 (comment)
spring-beansalone is not vulnerable and should not be included in this advisory.Keeping
spring-beansin this advisory will flag every Spring application to be vulnerable to CVE-2022-22965 aka Spring4Shell when it is commonly agreed the vulnerability can only be exploited viaspring-webmvcand/orspring-webfluxas described in https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted.Please consider removing
spring-beansfrom the advisory by merging this PR. Thanks.