CVE-2022-22963

📊 9.8 CRITICAL⚡ 94.5%🎯 29 exploits🏛️ KEV Listed

📅 Published Apr 1, 2022

📋 Status: Analyzed

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

CVSS v3.1 • NVD

🎯 Affected Products & Systems

47 product configurations affected

Filter by type:

Type	Vendor	Product	Version Range	Status	CPE String
📱App	vmware	spring cloud function	≤ 3.1.6	Vulnerable	cpe:2.3:a:vmware:spring_cloud_function::::::::
📱App	vmware	spring cloud function	≥ 3.2.0 ∧ ≤ 3.2.2	Vulnerable	cpe:2.3:a:vmware:spring_cloud_function::::::::
📱App	oracle	banking branch	14.5	Vulnerable	cpe:2.3:a:oracle:banking_branch:14.5:::::::*
📱App	oracle	banking cash management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_cash_management:14.5:::::::*
📱App	oracle	banking corporate lending process management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:::::::*
📱App	oracle	banking credit facilities process management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:::::::*
📱App	oracle	banking electronic data exchange for corporates	14.5	Vulnerable	cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:::::::*
📱App	oracle	banking liquidity management	14.2	Vulnerable	cpe:2.3:a:oracle:banking_liquidity_management:14.2:::::::*
📱App	oracle	banking liquidity management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_liquidity_management:14.5:::::::*
📱App	oracle	banking origination	14.5	Vulnerable	cpe:2.3:a:oracle:banking_origination:14.5:::::::*
📱App	oracle	banking supply chain finance	14.5	Vulnerable	cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:::::::*
📱App	oracle	banking trade finance process management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:::::::*
📱App	oracle	banking virtual account management	14.5	Vulnerable	cpe:2.3:a:oracle:banking_virtual_account_management:14.5:::::::*
📱App	oracle	communications cloud native core automated test suite	1.9.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::*
📱App	oracle	communications cloud native core automated test suite	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:::::::*
📱App	oracle	communications cloud native core console	1.9.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*
📱App	oracle	communications cloud native core console	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:::::::*
📱App	oracle	communications cloud native core network exposure function	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:::::::*
📱App	oracle	communications cloud native core network function cloud native environment	1.10.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:::::::*
📱App	oracle	communications cloud native core network function cloud native environment	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:::::::*
📱App	oracle	communications cloud native core network function cloud native environment	22.1.2	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:::::::*
📱App	oracle	communications cloud native core network repository function	1.15.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:::::::*
📱App	oracle	communications cloud native core network repository function	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:::::::*
📱App	oracle	communications cloud native core network slice selection function	1.8.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:::::::*
📱App	oracle	communications cloud native core network slice selection function	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::*
📱App	oracle	communications cloud native core policy	1.15.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:::::::*
📱App	oracle	communications cloud native core policy	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:::::::*
📱App	oracle	communications cloud native core policy	22.1.3	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:::::::*
📱App	oracle	communications cloud native core security edge protection proxy	1.7.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:::::::*
📱App	oracle	communications cloud native core security edge protection proxy	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:::::::*
📱App	oracle	communications cloud native core unified data repository	1.15.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:::::::*
📱App	oracle	communications cloud native core unified data repository	22.1.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:::::::*
📱App	oracle	communications communications policy management	12.6.0.0.0	Vulnerable	cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:::::::*
📱App	oracle	financial services analytical applications infrastructure	8.1.1.0	Vulnerable	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::*
📱App	oracle	financial services analytical applications infrastructure	8.1.2.0	Vulnerable	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::*
📱App	oracle	financial services behavior detection platform	8.1.1.0	Vulnerable	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:::::::*
📱App	oracle	financial services behavior detection platform	8.1.1.1	Vulnerable	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:::::::*
📱App	oracle	financial services behavior detection platform	8.1.2.0	Vulnerable	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:::::::*
📱App	oracle	financial services enterprise case management	8.1.1.0	Vulnerable	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:::::::*
📱App	oracle	financial services enterprise case management	8.1.1.1	Vulnerable	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:::::::*
📱App	oracle	financial services enterprise case management	8.1.2.0	Vulnerable	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:::::::*
📱App	oracle	mysql enterprise monitor	≤ 8.0.29	Vulnerable	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
📱App	oracle	product lifecycle analytics	3.6.1.0	Vulnerable	cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:::::::*
📱App	oracle	retail xstore point of service	20.0.1	Vulnerable	cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
📱App	oracle	retail xstore point of service	21.0.0	Vulnerable	cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:::::::*
📱App	oracle	sd-wan edge	9.0	Vulnerable	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
📱App	oracle	sd-wan edge	9.1	Vulnerable	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*

📱

vmware / spring cloud function

Application

Vulnerable

Version: ≤ 3.1.6

CPE:

cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*

📱

vmware / spring cloud function

Application

Vulnerable

Version: ≥ 3.2.0 ∧ ≤ 3.2.2

CPE:

cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*

📱

oracle / banking branch

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:*

📱

oracle / banking cash management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*

📱

oracle / banking corporate lending process management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*

📱

oracle / banking credit facilities process management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*

📱

oracle / banking electronic data exchange for corporates

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:*

📱

oracle / banking liquidity management

Application

Vulnerable

Version: 14.2

CPE:

cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*

📱

oracle / banking liquidity management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*

📱

oracle / banking origination

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:*

📱

oracle / banking supply chain finance

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*

📱

oracle / banking trade finance process management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*

📱

oracle / banking virtual account management

Application

Vulnerable

Version: 14.5

CPE:

cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*

📱

oracle / communications cloud native core automated test suite

Application

Vulnerable

Version: 1.9.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core automated test suite

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core console

Application

Vulnerable

Version: 1.9.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core console

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network exposure function

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network function cloud native environment

Application

Vulnerable

Version: 1.10.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network function cloud native environment

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network function cloud native environment

Application

Vulnerable

Version: 22.1.2

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network repository function

Application

Vulnerable

Version: 1.15.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network repository function

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network slice selection function

Application

Vulnerable

Version: 1.8.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core network slice selection function

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core policy

Application

Vulnerable

Version: 1.15.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core policy

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core policy

Application

Vulnerable

Version: 22.1.3

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:*

📱

oracle / communications cloud native core security edge protection proxy

Application

Vulnerable

Version: 1.7.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core security edge protection proxy

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core unified data repository

Application

Vulnerable

Version: 1.15.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core unified data repository

Application

Vulnerable

Version: 22.1.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*

📱

oracle / communications communications policy management

Application

Vulnerable

Version: 12.6.0.0.0

CPE:

cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*

📱

oracle / financial services analytical applications infrastructure

Application

Vulnerable

Version: 8.1.1.0

CPE:

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*

📱

oracle / financial services analytical applications infrastructure

Application

Vulnerable

Version: 8.1.2.0

CPE:

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*

📱

oracle / financial services behavior detection platform

Application

Vulnerable

Version: 8.1.1.0

CPE:

cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*

📱

oracle / financial services behavior detection platform

Application

Vulnerable

Version: 8.1.1.1

CPE:

cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*

📱

oracle / financial services behavior detection platform

Application

Vulnerable

Version: 8.1.2.0

CPE:

cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*

📱

oracle / financial services enterprise case management

Application

Vulnerable

Version: 8.1.1.0

CPE:

cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*

📱

oracle / financial services enterprise case management

Application

Vulnerable

Version: 8.1.1.1

CPE:

cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*

📱

oracle / financial services enterprise case management

Application

Vulnerable

Version: 8.1.2.0

CPE:

cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*

📱

oracle / mysql enterprise monitor

Application

Vulnerable

Version: ≤ 8.0.29

CPE:

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

📱

oracle / product lifecycle analytics

Application

Vulnerable

Version: 3.6.1.0

CPE:

cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:*

📱

oracle / retail xstore point of service

Application

Vulnerable

Version: 20.0.1

CPE:

cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*

📱

oracle / retail xstore point of service

Application

Vulnerable

Version: 21.0.0

CPE:

cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*

📱

oracle / sd-wan edge

Application

Vulnerable

Version: 9.0

CPE:

cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*

📱

oracle / sd-wan edge

Application

Vulnerable

Version: 9.1

CPE:

cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*

47 products•scroll for more

Metrics

9.8 CRITICALCVSS v3.1[email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector:

NETWORK

Complexity:

LOW

Privileges:

NONE

User Interaction:

NONE

Confidentiality:

HIGH

Integrity:

HIGH

Availability:

HIGH

Scope:

UNCHANGED

🔍 Technical Details

Analysis Status

Analyzed

CVSS Details

9.8 (CRITICAL)v3.1

Source: [email protected]

EPSS Details

94.5% (Critical)100.0th percentile

Last updated: Oct 30, 2025

Exploitation probability within 30 days

Published Date

Apr 1, 2022 (3 years ago)

Last Modified

Oct 30, 2025 (2 days ago)

Security Weaknesses2

CWE-94CWE-917

Available exploits (29)

🔐 Sign-in Required

References7

NVDpatchpatch+4