¡¾·ì϶¹«¸æ¡¿Spring Boot ÈÏÖ¤Èƹý·ì϶(CVE-2026-22733)

°ä²¼¹¦·ò 2026-03-20

Ò»¡¢¡¢·ì϶¸ÅÊö


·ì϶Ãû³Æ

Spring Boot ÈÏÖ¤Èƹý·ì϶

CVE   ID

CVE-2026-22733

·ì϶ÀàÐÍ

ÈÏÖ¤Èƹý

·¢ÏÖ¹¦·ò

2026-3-20

·ì϶ÆÀ·Ö

8.2

·ì϶µÈ¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ÀûÓÃÄѶÈ

µÍ

Óû§½»»¥

²»±ØÒª

PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ

δ·¢ÏÖ


Spring BootÊÇÓÉSpring¹Ù·½ÌṩµÄ¿ªÔ´JavaÀûÓÿª·¢¿ò¼Ü£¬ÓÃÓÚ¼±¾ç¹¹½¨¶ÀÁ¢¡¢¡¢³ö²ú¼¶µÄSpringÀûÓá£ÆäÄÚÖÃActuator×é¼þÓÃÓÚ¼à¿ØºÍÖÎÀíµ±ÓÃÔËÐÐ״̬£¬Ö§³Ö½¡¿µ²é³­¡¢¡¢Ö¸±ê²É¼¯¼°ÔËά½Ó¿ÚÖÎÀí£¬¿í·ºÀûÓÃÓÚ΢·þÎñ¼Ü¹¹ºÍÔÆÔ­Éú»·¾³¡£


2026Äê3ÔÂ20ÈÕ£¬OG¶«·½Ìü°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Spring Boot ÈÏÖ¤Èƹý·ì϶¡£µ±ÀûÓý«±ØÒªÉí·ÝÈÏÖ¤µÄÒµÎñ¶ËµãÃýÎóµØÓ³Éäµ½CloudFoundry Actuatorõ辶ÏÂʱ£¬ÓÉÓÚActuatorÓëSpring SecurityµÄõ辶´¦ÖûúÖÆ´æÔÚì¶Ü£¬¿ÉÄܵ¼Ö½Ӽû½ÚÖÆʧЧ¡£¹¥»÷ÕßÎÞÐèÉí·ÝÈÏÖ¤¼´¿É½Ó¼ûÕý±¾Êܱ £»¤µÄ½Ó¿Ú£¬´Ó¶ø»ñÈ¡Ãô¸ÐÐÅÏ¢»òÖ´ÐÐδÊÚȨ²Ù×÷¡£¸Ã·ì϶ͨ³£³Ê´Ë¿ÌͬʱÒýÈëActuatorÓëSpring SecurityÒÀÀµÇÒ´æÔÚ²»¹æ·¶õ辶ÅäÖõÄWebÀûÓÃÖС£³É¹¦ÀûÓø÷ì϶¿ÉÄܵ¼ÖÂÊý¾Ýй¶¡¢¡¢È¨ÏÞÌáÉýÉõÖÁÒµÎñÂß¼­ÀÄÓ㬽ø¶øÎ¥·´Êý¾Ý°²È«¼°ÒþÖÔ± £»¤ÓйغϹæÒªÇ󣬶ÔÆóҵϵͳ°²È«Ôì³É½Ï´ó·çÏÕ¡£


¶þ¡¢¡¢Ó°ÏìÁìÓò


2.7.0 <= Spring Boot < 2.7.32
3.3.0 <= Spring Boot < 3.3.18
3.4.0 <= Spring Boot < 3.4.15
3.5.0 <= Spring Boot < 3.5.12
4.0.0 <= Spring Boot < 4.0.4


Èý¡¢¡¢°²È«´ëÊ©


3.1 Éý¼¶°æ±¾


¹Ù·½ÒÑ°ä²¼ÐÞ¸´²¹¶¡£¬ÒÔÐÞ¸´¸Ã·ì϶¡£
Spring Boot >= 2.7.32
Spring Boot >= 3.3.18
Spring Boot >= 3.4.15
Spring Boot >= 3.5.12
Spring Boot >= 4.0.4


ÏÂÔØÁ´½Ó£ºhttps://github.com/spring-projects/spring-boot/releases/


3.2 һʱ´ëÊ©


ÔÝÎÞ¡£


3.3 ͨÓý¨Òé


? ¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬Ï÷¼õϵͳ·ì϶£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£
¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÖÆ£¬Åú¸Ä·À»ðǽսÊõ£¬¹Ø±Õ·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ£¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢¡¢RDPµÈ£©Â¶³öµ½¹«Íø£¬Ï÷¼õ¹¥»÷Ãæ¡£
ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£
¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöà³É·ÖÈÏÖ¤»úÖƺÍ×îСȨÏÞ×¼Ôò£¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏ޶ȡ£
ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£


3.4 ²Î¿¼Á´½Ó


https://spring.io/security/cve-2026-22733/
https://nvd.nist.gov/vuln/detail/CVE-2026-22733