CVE-2022-22963

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-22963
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-04-01 23:15:00 UTC
Updated2023-07-13 23:15:00 UTC
DescriptionIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Risk And Classification

EPSS: 0.944620000 probability, percentile 0.999950000 (date 2026-04-01)

CISA KEV: Listed on 2022-08-25; due 2022-09-15; ransomware use Unknown

Problem Types: CWE-917

CISA Known Exploited Vulnerability

VendorVMware Tanzu
ProductSpring Cloud
NameVMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
Required ActionApply updates per vendor instructions.
Noteshttps://tanzu.vmware.com/security/cve-2022-22963; https://nvd.nist.gov/vuln/detail/CVE-2022-22963

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Oracle Banking Branch 14.5 All All All
Application Oracle Banking Cash Management 14.5 All All All
Application Oracle Banking Corporate Lending Process Management 14.5 All All All
Application Oracle Banking Credit Facilities Process Management 14.5 All All All
Application Oracle Banking Electronic Data Exchange For Corporates 14.5 All All All
Application Oracle Banking Liquidity Management 14.2 All All All
Application Oracle Banking Liquidity Management 14.5 All All All
Application Oracle Banking Origination 14.5 All All All
Application Oracle Banking Supply Chain Finance 14.5 All All All
Application Oracle Banking Trade Finance Process Management 14.5 All All All
Application Oracle Banking Virtual Account Management 14.5 All All All
Application Oracle Communications Cloud Native Core Automated Test Suite 1.9.0 All All All
Application Oracle Communications Cloud Native Core Automated Test Suite 22.1.0 All All All
Application Oracle Communications Cloud Native Core Console 1.9.0 All All All
Application Oracle Communications Cloud Native Core Console 22.1.0 All All All
Application Oracle Communications Cloud Native Core Network Exposure Function 22.1.0 All All All
Application Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0 All All All
Application Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.1.0 All All All
Application Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.1.2 All All All
Application Oracle Communications Cloud Native Core Network Repository Function 1.15.0 All All All
Application Oracle Communications Cloud Native Core Network Repository Function 22.1.0 All All All
Application Oracle Communications Cloud Native Core Network Slice Selection Function 1.8.0 All All All
Application Oracle Communications Cloud Native Core Network Slice Selection Function 22.1.0 All All All
Application Oracle Communications Cloud Native Core Policy 1.15.0 All All All
Application Oracle Communications Cloud Native Core Policy 22.1.0 All All All
Application Oracle Communications Cloud Native Core Policy 22.1.3 All All All
Application Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.7.0 All All All
Application Oracle Communications Cloud Native Core Security Edge Protection Proxy 22.1.0 All All All
Application Oracle Communications Cloud Native Core Unified Data Repository 1.15.0 All All All
Application Oracle Communications Cloud Native Core Unified Data Repository 22.1.0 All All All
Application Oracle Communications Communications Policy Management 12.6.0.0.0 All All All
Application Oracle Financial Services Analytical Applications Infrastructure 8.1.1.0 All All All
Application Oracle Financial Services Analytical Applications Infrastructure 8.1.2.0 All All All
Application Oracle Financial Services Behavior Detection Platform 8.1.1.0 All All All
Application Oracle Financial Services Behavior Detection Platform 8.1.1.1 All All All
Application Oracle Financial Services Behavior Detection Platform 8.1.2.0 All All All
Application Oracle Financial Services Enterprise Case Management 8.1.1.0 All All All
Application Oracle Financial Services Enterprise Case Management 8.1.1.1 All All All
Application Oracle Financial Services Enterprise Case Management 8.1.2.0 All All All
Application Oracle Mysql Enterprise Monitor All All All All
Application Oracle Product Lifecycle Analytics 3.6.1.0 All All All
Application Oracle Retail Xstore Point Of Service 20.0.1 All All All
Application Oracle Retail Xstore Point Of Service 21.0.0 All All All
Application Oracle Sd-wan Edge 9.0 All All All
Application Oracle Sd-wan Edge 9.1 All All All
Application Vmware Spring Cloud Function All All All All
Application Vmware Spring Cloud Function All All All All

References

ReferenceSourceLinkTags
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression | Security | VMware Tanzu MISC tanzu.vmware.com
20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 CISCO tools.cisco.com
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
Spring Cloud 3.2.2 Remote Command Execution ≈ Packet Storm MISC packetstormsecurity.com
Security Advisory CONFIRM psirt.global.sonicwall.com
Oracle Critical Patch Update Advisory - July 2022 N/A www.oracle.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Legacy QID Mappings

  • 150494 Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)
  • 376508 Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Authenticated)
  • 376520 Spring Cloud Function Remote Code Execution (RCE) Vulnerability Scan Utility
  • 730417 Palo Alto Networks (PAN-OS) Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2010-1622 Bypass Vulnerability (PAN-191178)
  • 730418 Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Unauthenticated Check)
  • 730421 Palo Alto Networks (PAN-OS) Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965 Vulnerability (PAN-191178)
  • 730428 Palo Alto Networks (PAN-OS) Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965 Vulnerability (PAN-191178)
  • 730431 Palo Alto Networks (PAN-OS) Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965 Vulnerability (PAN-191178)
  • 984160 Java (maven) Security Update for org.springframework.cloud:spring-cloud-function-core (GHSA-6v73-fgf6-w5j7)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report