Vulnerability-Lookup

CVE-2022-43484 (GCVE-0-2022-43484)

Vulnerability from cvelistv5 – Published: 2022-12-05 00:00 – Updated: 2025-04-24 14:12

Summary

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

ClassLoader manipulation vulnerability

Assigner

jpcert

References

URL

Tags

	http://terasolunaorg.github.io/vulnerability/cve-…
	https://osdn.net/projects/terasoluna/wiki/cve-202…
	https://jvn.jp/en/jp/JVN54728399/index.html

Impacted products

	Vendor	Product	Version
	NTT DATA Corporation	TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)	Affected: TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T13:32:59.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-43484",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T14:12:21.882658Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-20",
                "description": "CWE-20 Improper Input Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T14:12:57.290Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)",
          "vendor": "NTT DATA Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "ClassLoader manipulation vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-05T00:00:00.000Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
        },
        {
          "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2022-43484",
    "datePublished": "2022-12-05T00:00:00.000Z",
    "dateReserved": "2022-10-22T00:00:00.000Z",
    "dateUpdated": "2025-04-24T14:12:57.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://osdn.net/projects/terasoluna/wiki/cve-2022-43484\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://jvn.jp/en/jp/JVN54728399/index.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T13:32:59.591Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-43484\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T14:12:21.882658Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T14:12:53.886Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"NTT DATA Corporation\", \"product\": \"TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)\", \"versions\": [{\"status\": \"affected\", \"version\": \"TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1\"}]}], \"references\": [{\"url\": \"http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html\"}, {\"url\": \"https://osdn.net/projects/terasoluna/wiki/cve-2022-43484\"}, {\"url\": \"https://jvn.jp/en/jp/JVN54728399/index.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"ClassLoader manipulation vulnerability\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2022-12-05T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-43484\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T14:12:57.290Z\", \"dateReserved\": \"2022-10-22T00:00:00.000Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2022-12-05T00:00:00.000Z\", \"assignerShortName\": \"jpcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-43484

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-43484

Aliases

CVE-2022-43484

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-43484",
    "id": "GSD-2022-43484"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-43484"
      ],
      "details": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.",
      "id": "GSD-2022-43484",
      "modified": "2023-12-13T01:19:31.581909Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2022-43484",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "NTT DATA Corporation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "ClassLoader manipulation vulnerability"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html",
            "refsource": "MISC",
            "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
          },
          {
            "name": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484",
            "refsource": "MISC",
            "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN54728399/index.html",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,5.7.1.SP1.RELEASE)",
          "affected_versions": "All versions before 5.7.1.sp1.release",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2022-12-05",
          "description": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 is vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.",
          "fixed_versions": [
            "5.7.1.SP1.RELEASE"
          ],
          "identifier": "CVE-2022-43484",
          "identifiers": [
            "GHSA-q5j9-f95w-f4pr",
            "CVE-2022-43484"
          ],
          "not_impacted": "All versions starting from 5.7.1.sp1.release",
          "package_slug": "maven/org.terasoluna.gfw/terasoluna-gfw-common",
          "pubdate": "2022-12-05",
          "solution": "Upgrade to version 5.7.1.SP1.RELEASE or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-43484",
            "https://jvn.jp/en/jp/JVN54728399/index.html",
            "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484",
            "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html",
            "https://github.com/advisories/GHSA-q5j9-f95w-f4pr"
          ],
          "uuid": "2d6d65fe-0a4c-4f5b-afc9-daa29bd57f31"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nttdata:terasoluna_global_framework:1.0.0:*:*:*:public_review:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nttdata:terasoluna_server_framework_for_java_\\(rich\\):*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.0.5.1",
                "versionStartIncluding": "2.0.0.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2022-43484"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN54728399/index.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
            },
            {
              "name": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-12-21T16:19Z",
      "publishedDate": "2022-12-05T04:15Z"
    }
  }
}

FKIE_CVE-2022-43484

Vulnerability from fkie_nvd - Published: 2022-12-05 04:15 - Updated: 2025-04-24 14:15

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
vultures@jpcert.or.jp	http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html	Exploit, Mitigation, Third Party Advisory
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN54728399/index.html	Third Party Advisory
vultures@jpcert.or.jp	https://osdn.net/projects/terasoluna/wiki/cve-2022-43484	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN54728399/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://osdn.net/projects/terasoluna/wiki/cve-2022-43484	Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	nttdata	terasoluna_global_framework	1.0.0
	nttdata	terasoluna_server_framework_for_java_\(rich\)	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nttdata:terasoluna_global_framework:1.0.0:*:*:*:public_review:*:*:*",
              "matchCriteriaId": "4239B0D9-E61B-47AF-8A42-76CFE5D65A70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nttdata:terasoluna_server_framework_for_java_\\(rich\\):*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9339F59-5E8F-495A-A1C3-6AF6065D51FF",
              "versionEndIncluding": "2.0.5.1",
              "versionStartIncluding": "2.0.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."
    },
    {
      "lang": "es",
      "value": "TERASOLUNA Global Framework 1.0.0 (versi\u00f3n de revisi\u00f3n p\u00fablica) y TERASOLUNA Server Framework para Java (Rich) 2.0.0.2 a 2.0.5.1 son afectados por una vulnerabilidad de manipulaci\u00f3n de ClassLoader debido al uso de la versi\u00f3n anterior de Spring Framework que contiene la vulnerabilidad. La vulnerabilidad es causada por un problema de validaci\u00f3n de entrada incorrecta en el mecanismo de enlace de Spring MVC. Cuando la aplicaci\u00f3n procesa un archivo especialmente manipulado, se puede ejecutar c\u00f3digo arbitrario con los privilegios de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2022-43484",
  "lastModified": "2025-04-24T14:15:36.083",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-12-05T04:15:10.343",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

JVNDB-2022-000088

Vulnerability from jvndb - Published: 2022-11-14 16:45 - Updated:2024-06-06 16:11

Severity ?

9.8 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation

Details

The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is caused by an improper input validation issue (CWE-20) in the binding mechanism of Spring MVC. NTT DATA Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NTT DATA Corporation coordinated under the Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN54728399/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2022-43484
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-43484
	Related document	https://github.com/spring-projects/spring-framework/issues/15724
	Improper Input Validation(CWE-20)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

	NTT DATA	TERASOLUNA Global Framework
	NTT DATA	TERASOLUNA Server Framework for Java (Rich)

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000088.html",
  "dc:date": "2024-06-06T16:11+09:00",
  "dcterms:issued": "2022-11-14T16:45+09:00",
  "dcterms:modified": "2024-06-06T16:11+09:00",
  "description": "The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.\r\nAccording to the developer, this vulnerability is caused by an improper input validation issue (CWE-20) in the binding mechanism of Spring MVC.\r\n\r\nNTT DATA Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NTT DATA Corporation coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000088.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:nttdata:terasoluna_global_framework",
      "@product": "TERASOLUNA Global Framework",
      "@vendor": "NTT DATA",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:nttdata:terasoluna_server_framework_for_java_%28rich%29",
      "@product": "TERASOLUNA Server Framework for Java (Rich)",
      "@vendor": "NTT DATA",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-000088",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN54728399/index.html",
      "@id": "JVN#54728399",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-43484",
      "@id": "CVE-2022-43484",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-43484",
      "@id": "CVE-2022-43484",
      "@source": "NVD"
    },
    {
      "#text": "https://github.com/spring-projects/spring-framework/issues/15724",
      "@id": "Minor issue with fix for CVE 2010-1622 [SPR-11098] #15724",
      "@source": "Related document"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-20",
      "@title": "Improper Input Validation(CWE-20)"
    }
  ],
  "title": "TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation"
}

GHSA-Q5J9-F95W-F4PR

Vulnerability from github – Published: 2022-12-05 06:30 – Updated: 2022-12-06 21:53

Summary

TERASOLUNA Server Framework vulnerable to ClassLoader manipulation

Details

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.

When using TERASOLUNA Global Framework 1.0.0 (Public review version), update to TERASOLUNA Server Framework for Java 5.7.1.SP1 (using Spring Framework 5.3.18). This vulnerability alone can be addressed by updating to TERASOLUNA Global Framework 1.0.1 (using Spring Framework 3.2.10) or later.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.terasoluna.gfw:terasoluna-gfw-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T23:23:07Z",
    "nvd_published_at": "2022-12-05T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application. \n\nWhen using TERASOLUNA Global Framework 1.0.0 (Public review version), update to TERASOLUNA Server Framework for Java 5.7.1.SP1 (using Spring Framework 5.3.18). This vulnerability alone can be addressed by updating to TERASOLUNA Global Framework 1.0.1 (using Spring Framework 3.2.10) or later.",
  "id": "GHSA-q5j9-f95w-f4pr",
  "modified": "2022-12-06T21:53:44Z",
  "published": "2022-12-05T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/issues/15724"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/terasolunaorg/terasoluna-gfw"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN54728399/index.html"
    },
    {
      "type": "WEB",
      "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"
    },
    {
      "type": "WEB",
      "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TERASOLUNA Server Framework vulnerable to ClassLoader manipulation"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-43484 (GCVE-0-2022-43484)

GSD-2022-43484

FKIE_CVE-2022-43484

JVNDB-2022-000088

GHSA-Q5J9-F95W-F4PR

Tags

Sightings

Nomenclature