Yesterday, we wrote about a bug in the VMware Spring product, a project we described as “an open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the ‘server’ part of the process yourself.” But Spring is a huge project, with a vast number of components, so talking about “a vulnerability in Spring” is a bit like saying “I think there’s a bug in Windows”, or “I hope I don’t catch the Sickness disease”. So, to make things a bit clearer, the bug we looked at yesterday is officially designated CVE-2022-22963, and its semi-official long name is Remote code execution in Spring Cloud Function by malicious Spring Expression You might also see it referred to as Spring Expression Resource Access Vulnerability, sometimes written as SPEL Vulnerability“.

Read full article on Naked Security