Log Injection Vulnerability in Spring Framework by VMware
CVE-2021-22096

4.3MEDIUM

Key Information:

Vendor
Vmware
Status
Spring Framework
Vendor
CVE Published:
28 October 2021

Summary

In affected versions of the Spring Framework, a vulnerability exists that allows an attacker to insert malicious input, resulting in unauthorized manipulation of log entries. This could lead to the disclosure of sensitive information or obfuscation of security-related logs, making it difficult to trace malicious activities. It is crucial for users to adopt the latest versions of the framework to mitigate this risk.

Affected Version(s)

Spring Framework Spring Framework versions 5.3.x prior to 5.3.12+, 5.2.x prior to 5.2.18+ and all older unsupported versions are impacted.

References

https://tanzu.vmware.com/security/cve-2021-22096
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20211125-0005/
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.