CVE-2021-22118
HIGH7.8EPSS 0.25%Improper Privilege Management in Spring Framework
Published: 5/24/2022Modified: 2/20/2024
Description
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Affected packages (1)
- Maven/org.springframework:spring-web>= 5.2.0, < 5.2.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22118
- PATCHhttps://github.com/spring-projects/spring-framework
- WEBhttps://github.com/spring-projects/spring-framework/commit/0d0d75e25322d8161002d861fff3ec04ba8be5ac
- WEBhttps://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d1
- WEBhttps://github.com/spring-projects/spring-framework/issues/26931
- WEBhttps://security.netapp.com/advisory/ntap-20210713-0005
- WEBhttps://spring.io/security/cve-2021-22118
- WEBhttps://tanzu.vmware.com/security/cve-2021-22118
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2022.html
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html
- WEBhttps://www.oracle.com/security-alerts/cpuoct2021.html