Denial of Service Vulnerability in Spring Framework by VMware
CVE-2022-22970

5.3MEDIUM

Key Information:

Vendor
Vmware
Status
Spring Framework
Vendor
CVE Published:
12 May 2022

Summary

A vulnerability exists in the Spring Framework that allows applications handling file uploads to be susceptible to Denial of Service (DoS) attacks. This issue arises when applications utilize data binding to assign a MultipartFile or javax.servlet.Part to a model object. Versions of the Spring Framework prior to 5.3.20 and 5.2.22, as well as other old, unsupported versions, are inherently at risk, making it crucial for users to update to secure versions to mitigate potential abuse.

Affected Version(s)

Spring Framework Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions

References

https://tanzu.vmware.com/security/cve-2022-22970
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220616-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.