[EE84M3i]

The post says "there is a public proof-of-concept available." If that's true, just link to it. The cat's already out of the bag.

[freeqaz]

Thanks for pointing that out -- I didn't realize we missed adding the link! It's in a repo on GitHub, and we were banging on it to verify the exploit prerequisites.

I'll go do that as soon as I sit down again.

[cyberpunk]

I still can't find it.. Got the link to the repo?

[freeqaz]

I'll ask my engineers to post the one he wrote. He did put more details into the article, so go check that. Here is a repo with a POC though: https://github.com/TheGejr/SpringShell

[vips7L]

That’s not really a POC though. That’s not a Spring Application I can run and reproduce on. That’s just a py script.

[growse]

The PDF in the repo contains a simple Java sample that should be straightforward to build and run.

[vips7L]

Yeah it doesn't work with a default Spring MVC project from start.spring.io on Jdk 18. It's hardly a proof of concept without any configuration details of the spring project. Security researchers need to do better than this.

[freeqaz]

Check the post again. We made a repo with a full end to end vulnerable app and POC