https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
spring-webmvc or spring-webflux dependency
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
* However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/