Remote Code Execution Vulnerability in Spring Tools and Extensions by VMware
CVE-2022-31691

9.8CRITICAL

Key Information:

Vendor
Vmware
Status
Spring By Vmware
Vendor
CVE Published:
4 November 2022

Badges

👾 Exploit Exists🟣 EPSS 14%

Summary

The vulnerability affects Spring Tools 4 for Eclipse and various extensions in VSCode that utilize the Snakeyaml library for YAML handling. Under specific conditions, this vulnerability permits attackers to execute arbitrary code remotely, posing a significant risk to users of these tools. Versions 4.16.0 and earlier of Spring Tools for Eclipse, along with specific versions of Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloudfoundry Manifest YML Support, all exhibit this flaw, highlighting the need for immediate attention and action.

Affected Version(s)

Spring by VMware Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support.

References

https://tanzu.vmware.com/security/cve-2022-31691

EPSS Score

14% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.