Minimal example of how to reproduce CVE-2022-22965 Spring vulnerability in Payara/Glassfish.
Alternative payload for Payara/Glassfish that allows the malicious user to set an arbitrary web root, leading to arbitrary file download.
- Build the application using Docker compose
docker-compose up --build
- To test the app browse to http://localhost:8080/handling-form-submission-complete/greeting
- Run the exploit
./exploits/run.sh
The exploit requires Java 9 or above because module
property was added in Java 9.