A Technical Analysis of How Spring4Shell (CVE-2022-22965) Works

Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?<p>If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?

I&#x27;ve been told it can be hard to know if vendor-built apps in your environment are using Spring. What are some apps built on this platform?

That&#x27;s a good technical write-up. I wonder how much of an issue this CVE will be compared to Log4Shell....

This is about CVE-2022-22965. Maybe I’ll edit the title to reflect that.

Whether or not this turns out to have the same blast radius and Log4Shell, it has certainly captured a lot of attention. Lots and lots of folks using Tomcat...