I was curious if this was impacted by spring4shell? I know that the exploit is still in the process of being verified, and from testing this rudimentary PoC, it at least looks like it's not vulnerable, or at least is not unauthenticated, since everything gets redirected to /login and not a .jsp URL (assuming the URL needs that to be exploited). I'm messing with it to see I can get it to do anything while authenticated, but just thought I'd ask.

https://github.com/ckkok/spring4shell-poc/blob/master/exp.py

Cheers

EDIT: Here is the official advisory for it, based on that it looks like this is indeed vulnerable because of the version of spring-webmvc that the current snapshot tag is using.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

However, I think the patch is as simple as updating org.springframework.boot from 2.5.2 to 2.5.12, I just did that and it pulls in the patched spring-webmvc version 5.3.18. It builds and runs OK as far as I can tell.

#879