Authorization Flaw in Spring Security by VMware
CVE-2021-22112

8.8HIGH

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 23 February 2021

What is CVE-2021-22112?

Spring Security versions 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, and 5.2.x prior to 5.2.9.RELEASE, experience a vulnerability where the SecurityContext may fail to save properly if altered multiple times during a single request. This can allow a malicious application to exploit the flaw, potentially granting users elevated privileges beyond their intended scope. Developers are advised to upgrade to the latest versions to mitigate risks associated with unintended privilege escalation.

Affected Version(s)

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE

References

http://www.openwall.com/lists/oss-security/2021/02/19/7

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/redbd004a503b3520ae5...

mailing-listx_refsource_MLIST

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2021
Vulnerability Reserved
Jan 4, 2021

Vmware

What is CVE-2021-22112?

Affected Version(s)

References

CVSS V3.1

Timeline