Affected Components: Identity Provider of the Fabasoft Cloud, Fabasoft Secomo
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Base Score: 9.8
First published 04.04.2022
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Two components of the Fabasoft Cloud used the Spring framework with the affected version: Identity Provider of the Fabasoft Cloud and Fabasoft Secomo.
Remote code execution (RCE) would have be potentially possible on the affected components.
Fabasoft has provided a hotfix in the Fabasoft Cloud for all affected components on 01. April 2022 by updating the Spring framework to the latest version 5.3.18. No other remediation is required by the customer.
Note: Fabasoft Folio and the Fabasoft eGov-Suite do not make use of the Spring framework and are therefore not affected.