Discover and read the best of Twitter Threads about #Spring4Shell

Most recents (3)

Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
Read 10 tweets
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
Ways that Cyber Kendra made this worse for everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case.
Read 11 tweets
OK, where are we with Spring stuff?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing.
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!