CVE-2022-22965#

Statement on CVE-2022-22965 Spring4Shell Vulnerability#

April 29, 2022

Information#

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Severity#

Low

Response#

Melissa Data Corporation (“Melissa”) was not impacted by the Spring4Shell remote code execution (RCE) vulnerability via data binding as we do not utilize Spring4Shell for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.