Updated, it’s confirmed now.
As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
However, in the JDK9 version (and above) of the Spring framework, a remote attacker can obtain the
AccessLogValve
object and malicious field values through the parameter binding function of the framework on the basis of meeting certain conditions, thereby triggering the pipeline mechanism and writing arbitrary fields. SpringShell: Spring Core RCE 0-day Vulnerability - Image
An unconfirmed, but probable, remote code execution vulnerability is believed to exist in Spring, an extremely popular Java framework. This issue is likely easily exploited in common configurations. If confirmed, another notice will be sent out with a severity of ‘critical’. While unconfirmed, the severity has been assigned ‘high’.
Looks serious if confirmed.