CVE-2022-22970

5.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 12 May 2022

Summary

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Affected Version(s)

Spring Framework Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions

References

https://tanzu.vmware.com/security/cve-2022-22970

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220616-0006/

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 12, 2022
Vulnerability Reserved
Jan 10, 2022

.