Investigate vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot/spring-boot-starter-web

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.

• Severity: critical
• Confidence: unknown
• Location: build.gradle

Solution:

Upgrade to versions 2.5.12, 2.6.6 or above.

Identifiers:

• Gemnasium-4707032c-92a4-4447-99db-82dd610d4037
• GHSA-36p3-wjmg-h94x
• CVE-2022-22965

Links:

• https://github.com/advisories/GHSA-36p3-wjmg-h94x
• https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12
• https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6
• https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
• https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE
• https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18
• https://nvd.nist.gov/vuln/detail/CVE-2022-22965
• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
• https://tanzu.vmware.com/security/cve-2022-22965

Scanner:

• Name: Gemnasium
• Type: dependency_scanning
• Status: success
• Start Time: 2022-05-09T11:52:33
• End Time: 2022-05-09T11:53:17