Remote Code Execution Vulnerability in Spring Tools and Extensions by VMware
CVE-2022-31691

9.8CRITICAL

Key Information:

Vendor
Vmware
Status
Spring By Vmware
Vendor
CVE Published:
4 November 2022

Badges

👾 Exploit Exists

Summary

The vulnerability affects Spring Tools 4 for Eclipse and various extensions in VSCode that utilize the Snakeyaml library for YAML handling. Under specific conditions, this vulnerability permits attackers to execute arbitrary code remotely, posing a significant risk to users of these tools. Versions 4.16.0 and earlier of Spring Tools for Eclipse, along with specific versions of Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloudfoundry Manifest YML Support, all exhibit this flaw, highlighting the need for immediate attention and action.

Affected Version(s)

Spring by VMware Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support.

References

https://tanzu.vmware.com/security/cve-2022-31691

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.