Log Injection Vulnerability in Spring Framework by VMware
CVE-2021-22096

4.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 28 October 2021

What is CVE-2021-22096?

In affected versions of the Spring Framework, a vulnerability exists that allows an attacker to insert malicious input, resulting in unauthorized manipulation of log entries. This could lead to the disclosure of sensitive information or obfuscation of security-related logs, making it difficult to trace malicious activities. It is crucial for users to adopt the latest versions of the framework to mitigate this risk.

Affected Version(s)

Spring Framework Spring Framework versions 5.3.x prior to 5.3.12+, 5.2.x prior to 5.2.18+ and all older unsupported versions are impacted.

References

https://tanzu.vmware.com/security/cve-2021-22096

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20211125-0005/

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2021
Vulnerability Reserved
Jan 4, 2021

Vmware

What is CVE-2021-22096?

Affected Version(s)

References

CVSS V3.1

Timeline