CVE-2022-43484 - Vulnerability Details - OpenCVE

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Nttdata	Terasoluna Global Framework Terasoluna Server Framework For Java \(rich\)

Configuration 1 [-]

OR	cpe:2.3:a:nttdata:terasoluna_global_framework:1.0.0::::public_review:::
	cpe:2.3:a:nttdata:terasoluna_server_framework_for_java_\(rich\)::::::::

No data.

References

Link	Providers
http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html
https://jvn.jp/en/jp/JVN54728399/index.html
https://osdn.net/projects/terasoluna/wiki/cve-2022-43484

History

Thu, 24 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2022-12-05T00:00:00.000Z

Updated: 2025-04-24T14:12:57.290Z

Reserved: 2022-10-22T00:00:00.000Z

Link: CVE-2022-43484

Vulnrichment

Updated: 2024-08-03T13:32:59.591Z

NVD

Status : Modified

Published: 2022-12-05T04:15:10.343

Modified: 2025-04-24T14:15:36.083

Link: CVE-2022-43484

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-43484", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "dateUpdated": "2025-04-24T14:12:57.290Z", "dateReserved": "2022-10-22T00:00:00.000Z", "datePublished": "2022-12-05T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2022-12-05T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."}], "affected": [{"vendor": "NTT DATA Corporation", "product": "TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)", "versions": [{"version": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1", "status": "affected"}]}], "references": [{"url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"}, {"url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"}, {"url": "https://jvn.jp/en/jp/JVN54728399/index.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "ClassLoader manipulation vulnerability"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.591Z"}, "title": "CVE Program Container", "references": [{"url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html", "tags": ["x_transferred"]}, {"url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN54728399/index.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-24T14:12:21.882658Z", "id": "CVE-2022-43484", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T14:12:57.290Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html", "tags": ["x_transferred"]}, {"url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN54728399/index.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.591Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-43484", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-24T14:12:21.882658Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T14:12:53.886Z"}}], "cna": {"affected": [{"vendor": "NTT DATA Corporation", "product": "TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich)", "versions": [{"status": "affected", "version": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1"}]}], "references": [{"url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"}, {"url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"}, {"url": "https://jvn.jp/en/jp/JVN54728399/index.html"}], "descriptions": [{"lang": "en", "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "ClassLoader manipulation vulnerability"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2022-12-05T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43484", "state": "PUBLISHED", "dateUpdated": "2025-04-24T14:12:57.290Z", "dateReserved": "2022-10-22T00:00:00.000Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2022-12-05T00:00:00.000Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nttdata:terasoluna_global_framework:1.0.0:*:*:*:public_review:*:*:*", "matchCriteriaId": "4239B0D9-E61B-47AF-8A42-76CFE5D65A70", "vulnerable": true}, {"criteria": "cpe:2.3:a:nttdata:terasoluna_server_framework_for_java_\\(rich\\):*:*:*:*:*:*:*:*", "matchCriteriaId": "F9339F59-5E8F-495A-A1C3-6AF6065D51FF", "versionEndIncluding": "2.0.5.1", "versionStartIncluding": "2.0.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application."}, {"lang": "es", "value": "TERASOLUNA Global Framework 1.0.0 (versi\u00f3n de revisi\u00f3n p\u00fablica) y TERASOLUNA Server Framework para Java (Rich) 2.0.0.2 a 2.0.5.1 son afectados por una vulnerabilidad de manipulaci\u00f3n de ClassLoader debido al uso de la versi\u00f3n anterior de Spring Framework que contiene la vulnerabilidad. La vulnerabilidad es causada por un problema de validaci\u00f3n de entrada incorrecta en el mecanismo de enlace de Spring MVC. Cuando la aplicaci\u00f3n procesa un archivo especialmente manipulado, se puede ejecutar c\u00f3digo arbitrario con los privilegios de la aplicaci\u00f3n."}], "id": "CVE-2022-43484", "lastModified": "2025-04-24T14:15:36.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-05T04:15:10.343", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN54728399/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN54728399/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://osdn.net/projects/terasoluna/wiki/cve-2022-43484"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}