...
Is OpenSpecimen vulnerable to CVE-2022-22965 (Spring RCE) exploit?
Based on our analysis using the information available at the moment (2022/04/01 10:00 AM IST), our analysis suggests the answer is - No.
One or more conditions required for exploiting the vulnerability are not satisfied -
...
We’ve a plans to upgrade to Spring 5x, get rid of dependency on Tomcat, and run OpenSpecimen as a standalone process. The idea is to complete this upgrade by end of CY 2022. However, this plan could be impacted by unforeseen events that are not in our control.
Mitigation
In spite of not suffering from this vulnerability, out of an abundance of caution, we plan to prevent WebDataBinder from processing the risky names containing the class keywords - class.*, Class.*, *.class.*, *.Class.* etc. This fix will be available in OpenSpecimen v9.0