A new critical remote code execution bug, dubbed “SpringShell” by some in the community, has been identified by security researchers.
The vulnerability impacts the spring-core artifact, a popular framework used extensively in Java applications, specifically with JKD9 or newer.
Sonatype explained, “the vulnerability affects anyone using spring-core, a core part of the Spring Framework, to perform logging, and anyone using software built on Spring, which is a large population of enterprise Java software.”
“It stems from a previously exploited issue (CVE-2010-1622) in Spring that was patched in the past, but became vulnerable again when used with JDK9,” it continued.