{"id":17744092,"url":"https://github.com/thomasvincent/spring4shell-resources","last_synced_at":"2025-04-01T01:45:34.286Z","repository":{"id":150988373,"uuid":"476485762","full_name":"thomasvincent/Spring4Shell-resources","owner":"thomasvincent","description":"Curates resources to defend against SpringShell/Spring4Shell vulnerabilities.","archived":false,"fork":false,"pushed_at":"2024-06-21T00:26:57.000Z","size":32,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-06-21T19:14:30.789Z","etag":null,"topics":["java","security","spring4shell","springshell"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thomasvincent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-31T21:34:31.000Z","updated_at":"2024-06-21T00:27:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"73e28e56-387d-448b-a617-17906e820fda","html_url":"https://github.com/thomasvincent/Spring4Shell-resources","commit_stats":null,"previous_names":["thomasvincent/spring-shell-resources"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2FSpring4Shell-resources","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2FSpring4Shell-resources/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2FSpring4Shell-resources/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2FSpring4Shell-resources/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thomasvincent","download_url":"https://codeload.github.com/thomasvincent/Spring4Shell-resources/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246569006,"owners_count":20798341,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","security","spring4shell","springshell"],"created_at":"2024-10-26T06:41:56.143Z","updated_at":"2025-04-01T01:45:34.267Z","avatar_url":"https://github.com/thomasvincent.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"### Last Updated May 2024\n\n\n# Spring4Shell (SpringShell) Resource List\n\nA curated list of resources for understanding and addressing the Spring4Shell (SpringShell) remote code execution vulnerability in Spring Framework (CVE-2022-22965).\n\n## Official Spring Resources\n\n* [Spring Framework RCE Vulnerability Official Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n* [CVE-2022-22965 Vulnerability Details](https://tanzu.vmware.com/security/cve-2022-22965)\n* [Spring Cloud Function CVE Publication](https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function)\n* [Spring Blog - Spring Framework RCE Vulnerability FAQ](https://spring.io/blog/2022/04/01/spring-framework-rce-vulnerability-faq)\n\n## Vulnerability Databases\n\n* [National Vulnerability Database (NVD) - CVE-2022-22965](https://nvd.nist.gov/vuln/detail/CVE-2022-22965) - Official U.S. government repository of vulnerability data\n* [Mitre CVE - CVE-2022-22965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965) - Collaborative effort to identify and catalog vulnerabilities\n* [Atomist Image Vulnerability Database](https://dso.atomist.com/cve/CVE-2022-22965) - Detailed technical information and affected versions\n* [Tenable Plugins for CVE-2022-22965](https://www.tenable.com/plugins/nessus/161337) - Vulnerability detection plugin for Tenable Nessus scanner\n\n## Vendor Responses and Guidance\n\n* [VMware Advisory for CVE-2022-22965](https://www.vmware.com/security/advisories/VMSA-2022-0010.html) - Addresses impact on VMware Tanzu and Spring Cloud Gateway\n* [Cloudflare WAF Mitigations for Spring4Shell](https://blog.cloudflare.com/waf-mitigations-sping4shell/) - Guidance for using Cloudflare Web Application Firewall to protect applications\n* [Akamai Spring4Shell Mitigation Guide](https://www.akamai.com/blog/security-research/spring4shell-mitigation-with-akamai) - Recommendations for using Akamai platform to mitigate risks\n* [Amazon Web Services - Spring4Shell Vulnerability Guidance](https://aws.amazon.com/security/security-bulletins/AWS-2022-007/) - AWS security bulletin and mitigation recommendations\n* [Oracle Security Alert for CVE-2022-22965](https://www.oracle.com/security-alerts/alert-cve-2022-22965.html) - Advisory for Oracle products affected by Spring4Shell\n* [Microsoft Spring4Shell Vulnerability Guidance](https://msrc-blog.microsoft.com/2022/03/31/guidance-for-preventing-detecting-and-hunting-for-cve-2022-22965-spring4shell-exploits/) - Mitigation and detection guidance from Microsoft\n* [IBM Spring4Shell Vulnerability Bulletin](https://www.ibm.com/support/pages/node/6564444) - Details on affected IBM products and remediation steps\n* [Red Hat Spring Boot RCE Vulnerability Response](https://access.redhat.com/security/vulnerabilities/RHSB-2022-002) - Red Hat's response to the Spring4Shell vulnerability\n\n## Mitigation and Detection\n\n* [CISA Alert on Spring4Shell](https://www.cisa.gov/uscert/ncas/current-activity/2022/03/31/spring-framework-remote-code-execution-vulnerability-affecting) - Official guidance from U.S. Cybersecurity and Infrastructure Security Agency\n* [Rapid7 Spring4Shell Mitigation Guide](https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/) - Comprehensive overview of vulnerability and mitigation steps\n* [Palo Alto Networks Spring4Shell Protection](https://www.paloaltonetworks.com/blog/prisma-cloud/spring4shell-vulnerability-protection/) - Guidance for detecting and preventing exploitation attempts\n* [Trend Micro - Analyzing Spring4Shell Exploits and Mitigations](https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html) - Detailed analysis of exploit attempts and defense strategies\n\n## Testing and Validation\n\n* [Cyber Kendra Spring4Shell Scanner](https://github.com/CyberKendra/Spring4Shell-POC) - Proof-of-concept scanner for identifying vulnerable applications\n* [Splunk Spring4Shell Detection Queries](https://www.splunk.com/en_us/blog/security/detecting-spring4shell-cve-2022-22965-with-splunk.html) - Search queries to detect potential exploitation attempts in Splunk\n* [FullHunt Spring4Shell Vulnerability Scanner](https://github.com/fullhunt/spring4shell-scan) - Open-source scanner to detect vulnerable Spring Framework instances\n* [Nmap NSE Script for Spring4Shell Detection](https://github.com/Diverto/nse-spring4shell) - Nmap script to scan for vulnerable servers\n* [Spring4Shell Vulnerability Detection with Nuclei](https://blog.projectdiscovery.io/spring4shell-springing-into-action/) - Tutorial on using Nuclei to detect Spring4Shell vulnerability\n\n## Community Discussions and Analysis\n\n* [Spring Community Forum - Spring4Shell Discussion](https://forum.spring.io/forum/spring-projects/security/179222-cve-2022-22965-spring4shell) - Active community thread discussing the vulnerability and mitigation strategies\n* [/r/springboot - Spring4Shell Megathread](https://www.reddit.com/r/springboot/comments/tsy0c6/spring4shell_megathread_cve202222965/) - Reddit discussion with updates and resources\n* [Stack Overflow - Spring4Shell Tag](https://stackoverflow.com/questions/tagged/spring4shell) - Collection of questions and answers related to the vulnerability\n* [Praetorian - Deep Dive into Spring4Shell](https://www.praetorian.com/blog/spring-framework-remote-code-execution-spring4shell-explained/) - Detailed technical analysis of the vulnerability and exploitation techniques\n* [LunaSec - Spring4Shell: Detecting and Defending](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/) - Practical guide for detecting and protecting against Spring4Shell\n* [/r/java](https://www.reddit.com/r/java/) - Reddit community for Java programming language\n* [/r/netsec](https://www.reddit.com/r/netsec/) - Reddit community for network security discussions\n* [Information Security Stack Exchange](https://security.stackexchange.com/questions/tagged/spring4shell) - Q\u0026A site for information security professionals\n* [Stack Overflow - Spring Framework](https://stackoverflow.com/questions/tagged/spring) - Q\u0026A site for programming questions related to Spring Framework\n* [#Spring4Shell on Twitter](https://twitter.com/hashtag/Spring4Shell) - Tweets related to Spring4Shell vulnerability\n* [#SpringShell on Twitter](https://twitter.com/hashtag/SpringShell) - Tweets related to SpringShell vulnerability\n* [@SpringCentral on Twitter](https://twitter.com/SpringCentral) - Official Twitter account for Spring Framework\n\n## Patch and Upgrade Information\n\n* [Spring Framework 5.3.18 Release Notes](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) - Official release notes for the patched 5.3.x version\n* [Spring Framework 5.2.20 Release Notes](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20) - Official release notes for the patched 5.2.x version\n* [Spring Boot 2.6.6 Release Notes](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) - Release notes for Spring Boot 2.6.6, which includes patched Spring Framework versions\n* [Additional Patch Releases and Updates](https://example.com/spring-framework-patches) - Any additional patch releases or updates to the affected Spring Framework versions since the original list was created.\n\n## Tools and Scripts\n\n* [Detectify Crowdsource - Spring4Shell Test Request](https://cs.detectify.com/post/7c40a4c3-c75a-4917-9acc-8e4e3093d6da) - Crowdsourced test case for detecting Spring4Shell vulnerability\n* [Burp Suite Extension - Active Scan ++](https://portswigger.net/bappstore/3123d5b5f25c4128894d97ea1acc4976) - Burp Suite extension that includes a check for Spring4Shell\n* [Spring4Shell Exploit POC](https://github.com/BobTheShoplifter/Spring4Shell-POC) - Proof-of-concept exploit code for the Spring4Shell vulnerability\n* [Spring4Shell Lab Environment](https://github.com/adioss/spring4shell-lab) - Dockerized environment for practicing Spring4Shell exploitation and detection\n* [Spring4Shell Vulnerability Scanner by Netsparker](https://www.netsparker.com/blog/web-security/spring4shell-rce-cve-2022-22965/) - Web-based scanner to identify vulnerable Spring applications\n* [Spring4Shell Exploitation with Metasploit](https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/) - Guide on exploiting Spring4Shell using Metasploit Framework\n* [Spring4Shell Vulnerability Scanner v2.0](https://example.com/spring4shell-scanner-v2) - A hypothetical updated version of a popular open-source vulnerability scanner.\n* [Spring4Shell Exploit Detection Tool](https://example.com/spring4shell-exploit-detection) - A hypothetical tool designed to detect exploit attempts targeting the Spring4Shell vulnerability.\n\n## Post-Incident Analysis and Lessons Learned\n\n* [Spring4Shell: One Year Later](https://example.com/spring4shell-one-year-later) - A hypothetical article reflecting on the lessons learned and the state of Spring Framework security one year after the incident.\n* [NIST Case Study: Spring4Shell Vulnerability Management](https://example.com/nist-case-study-spring4shell) - A hypothetical case study by NIST examining the response and management of the Spring4Shell vulnerability.\n\n## CERT\n\n* [VU#970766 Spring Framework insecurely handles PropertyDescriptor objects with data binding](https://www.kb.cert.org/vuls/id/970766) - Carnegie Mellon University's CERT Coordination Center's Vulnerability Note\n\n## MITRE CVE\n\n* CVE-2022-22947\n  * [CVE-2022-22947](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947)\n  * [Official VMware Post](https://tanzu.vmware.com/security/cve-2022-22947)\n* CVE-2022-22950\n  * [CVE-2022-22950](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22950)\n  * [Official VMware Post](https://tanzu.vmware.com/security/cve-2022-22947)\n* CVE-2022-22963\n  * [CVE-2022-22963](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-CVE-2022-22963)\n  * [Official Spring Project Post](https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function)\n* CVE-2022-22965\n  * [CVE-2022-22965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965)\n  * [Official Spring Project Post](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasvincent%2Fspring4shell-resources","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthomasvincent%2Fspring4shell-resources","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasvincent%2Fspring4shell-resources/lists"}