QID 376506

The vulnerability exists in the Spring Framework with the JDK version greater or equal to 9.0. (If the version number is less than or equal to 8, it is not affected by the vulnerability.)
Triggering this vulnerability requires use of the Spring MVC and Spring WebFlux applications running on JDK9 and above.

Vulnerable Versions:
Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older are vulnerable.
QID Detection: (Authenticated) - Linux
Detection logic checks if system has java 9 or later versions and executes locate -b -e -r '^spring\-webmvc.*\.jar$' -r '^spring\-webflux.*\.jar$' command, ls -l /proc/*/fd | grep -Eo '\S+\/spring\S+jar' | uniq 2> /dev/null and checks if any or both of the spring-webmvc-*.jar or spring-webflux*.jar present on the system.

QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of Spring via WMI to check spring-webmvc, spring-webflux and spring-boot are included in the running processes via command-line. with JDK9 or higher

QID Detection: (Authenticated) - MacOS
Detection logic checks if system has java 9 or later versions and executes locate command to check the presence of spring-webmvc, and spring-webflux jar files on a system.

QID Detection: (Qualys CS Image Scanning)
Container Sensor image scanning uses find command to check for spring-webmvc and spring-webflux jars from .war/.jar files along with JDK9 or higher.

A remote attacker can obtain the AccessLogValve object and malicious field values via the parameter binding function of the framework on the basis of meeting certain conditions