JDK9+ is important because Spring already prevents access to `class.classloader`, but it can be worked around thanks to modules (i.e. `class.module.classloader` works).
Yes but there may be some other Gadget vulnerabilities in all those fields too. Also, you might be able to make an app OOM by setting big string values somewhere in there.
It boggles my mind why this field is accessible at all and wasn't blocked in CVE-2010-1622.
You can make an app OOM by setting big string values anywhere. You gotta handle that at a higher level and reject requests larger than a certain size, which there is already a default for.
It boggles my mind why this field is accessible at all and wasn't blocked in CVE-2010-1622.