Spring-Cloud-Function-SPEL-RCE
漏洞详情
当Spring Cloud Function 启用动态路由functionRouter时, HTTP请求头 spring.cloud.function.routing-expression参数存在SPEL表达式注入漏洞,攻击者可通过该漏洞进行远程命令执行。
影响版本
3.0.0.RELEASE <= Spring Cloud Function <= 3.2.2
漏洞环境
https://github.com/N1ce759/Spring-Cloud-Function-SPEL-RCE JDK15!
漏洞复现
POC:
POST /functionRouter HTTP/1.1
Host: localhost:8080
spring.cloud.function.definition: reverseString
Content-Type: text/plain
Content-Length: 3
abc