ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager


Article ID: 238615


Updated On:


CA Service Desk Manager


Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Is CA Service Desk Manager vulnerable to the above two (2) Spring4Shell vulnerabilities?


Service Desk Manager 17.x

All Supported Operating Systems


Our Engineering team has looked into these recent Spring Framework vulnerabilities.

As per the Spring official document, if the product uses any of the below dependencies then it is vulnerable

spring-webmvc or spring-webflux 

Since CA Service Desk Manager does NOT use any of the above dependencies, then the CA Service Desk Manager application is NOT vulnerable to the recent Spring4Shell vulnerabilities listed above.

Additional Information

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for Service Catalog