Remote Code Execution Vulnerability in Spring Tools and Extensions by VMware
CVE-2022-31691

9.8CRITICAL

Key Information:

Vendor

Vmware
Status
Spring By Vmware
Vendor
CVE Published:
4 November 2022

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 12%

What is CVE-2022-31691?

The vulnerability affects Spring Tools 4 for Eclipse and various extensions in VSCode that utilize the Snakeyaml library for YAML handling. Under specific conditions, this vulnerability permits attackers to execute arbitrary code remotely, posing a significant risk to users of these tools. Versions 4.16.0 and earlier of Spring Tools for Eclipse, along with specific versions of Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloudfoundry Manifest YML Support, all exhibit this flaw, highlighting the need for immediate attention and action.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Spring by VMware Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support.

References

https://tanzu.vmware.com/security/cve-2022-31691

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.