| I've spent most of my day on this and can confirm there is serious potential to this. It's not a log4shell but it's serious. You're potentially vulnerable if you use POJOs as request parameters[0] with Spring MVC and Java 9+. To support complex POJOs (like a POJO in a POJO), Spring uses the `.` separator. Therefore, you can have a request GET /somePath?innerPojo.field=foo that will get mapped properly [1]. Now, in [2], the `getCachedIntrospectionResults()` result has a `class` parameter that I believe should not be exposed. In this object, there's a bunch of parameters that can be set, that's where the problem is. In the POC seen across the web today, it was modifying the `AccessLogValve` of Tomcat. The exploit mentioned in [3] relies on passing a parameter like this : GET /somePath?class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp This will access the `class` object and uses the `getModule` method of the `Class` object to get the `Module` class. Now, this class has the `ClassLoader` exposed via a getter BUT it's exposed as opposed to the `Class` class[4]! In the POC, it's an instance of `WebAppClassLoaderBase` (when using Tomcat, under some circumstances). This class has a `getResources` method that is accessed here, along with `getContext`, `getParent`, etc. all the way up to the last delimiter which invoke the `setSuffix` method of the `AccessLogValve` instance [5]. Rinse and repeat this to set the tone for the JSP vulnerability and you have a RCE. Now, this needs some specific preconditions. However, there are probably hundred of other mutable objects accessible this way that could lead to pretty nasty bugs, vulnerability of information disclosures. Finally, I can confirm that the workaround with `@InitBinder` mentioned in [6] works. EDIT : Looks like a regression from CVE-2010-1622 that was fixed in [7]. [0] https://docs.spring.io/spring-framework/docs/3.2.x/spring-fr... [1] https://gist.github.com/jebeaudet/127e6fb0b59e06c0642d2f362e... [2] https://github.com/spring-projects/spring-framework/blob/mai... [3] https://www.cyberkendra.com/2022/03/spring4shell-details-and... [4] https://github.com/spring-projects/spring-framework/blob/mai... [5] https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob... [6] https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vu... [7] https://github.com/spring-projects/spring-framework/commit/3... |