Spring4Shell (CVE-2022-22965)
Spring4Shell is an RCE in Spring Framework's data-binder that lets an HTTP form parameter mass-assign into a class-loader property and write an attacker-controlled file to disk.
Definition
Spring4Shell (CVE-2022-22965) is a remote code execution vulnerability in Spring Framework. The bug is in Spring's data-binder, which automatically maps HTTP request parameters onto Java bean properties (a mass-assignment pattern). An attacker who could submit POST parameters with carefully crafted dotted names (`class.module.classLoader.resources.context.parent.pipeline.first.pattern`) could traverse from the model bean into the Tomcat class-loader and write a JSP webshell to disk.
The bug requires the target to run on Tomcat (or another Servlet container with the same dotted-access path), use Spring's data-binder against a non-trivial model, and run JDK 9+ (which exposes the `Module` property the chain pivots through).
Mitigation
Upgrade Spring Framework to 5.3.18 / 5.2.20 or later. Filter `class.*` access in WebDataBinder.