CVE-2022-22963 In versions 3.1.6, 3.2.2 and older, using routing functionality may lead to remote code execution and access to local files.

CVE-2022-22963 In versions 3.1.6, 3.2.2 and older, using routing functionality may lead to remote code execution and access to local files.

The SpEL is validated using the regular expression matching rules and malicious expressions are rejected by the validator. However, due to the fact that the validator can only check the syntax of the expression and not the intent, it is possible to craft expressions that look correct but are malicious in nature. The SpEL can be constructed in multiple ways and the most common way is to use the JSONPath syntax to access a property on an object that does not exist. In the example below, the user may be accessing a non-existent property on the object and as a result, an unauthorized remote code execution may occur.  custom-route condition = " notjohn.example_service " > ! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

JSONPath Condition

The JSONPath condition is formed by prepending " ! " to the property name, followed by a question mark. This is commonly seen in the form of ?x.
In the example below, the user may be accessing a non-existent property on the object and as a result, an unauthorized remote code execution may occur.  custom-route condition = " notjohn.example_service " > ! — — — — — — — — — — — — — -?javax.web.server.dispatchor=?
!javax . web . server . dispatchor ?"
!javax . web . server . dispatchor ?"
"javax . web . server . dispatchor="

JSONPath Syntax

JSONPath is a JavaScript abstraction for accessing the properties of an object. It is possible to construct malicious expressions using the JSONPath syntax as it can be constructed in multiple ways. In the example below, the user may be accessing a non-existent property on the object and as a result, an unauthorized remote code execution may occur.  " custom-route " if (custom-route) then { " custom-route " ; :" notjohn.example_service " };
! — — — — — — — — — — — — – !!! !!!! !!!

The SpEL can be constructed in multiple ways and the most common way is to use the JSONPath syntax to access a property on an object that does not exist. The example below shows how this may be done:
"custom-route" if (custom-route) then { "custom-route": "notjohn.example_service"; }

Alerting on invalid condition

As a result of the SpEL validation, an invalid condition is raised when an expression is constructed with an invalid property path.
There are multiple ways to construct expressions and the most common way is to use the JSONPath syntax to access a property on an object that does not exist. The example below shows a valid JSONPath expression:
custom-route condition = " notjohn.example_service " > ! — — — — — — — — — — !!!! !!! !!!! !!! !! !! !! !! !!!! !!!!! !!! !!! !!!!!!!!!!
In this expression, the first two colons are used to denote that it is using JSONPath syntax. However, due to the fact that the validator can only check the syntax of the expression and not its intent, it is possible to craft expressions that look correct but are malicious in nature. In fact, there are multiple ways to construct expressions where an invalid property path may be reached such as:

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe