5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
spring-context is vulnerable to binding rules bypass. The vulnerability exists due to lack of sanitization of HTTP request parameters which allows an attacker to bypass the disallowedFields
and bind malicious HTTP request parameters.
github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea
github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7
github.com/spring-projects/spring-framework/issues/28333
security.netapp.com/advisory/ntap-20220602-0004/
spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968
tanzu.vmware.com/security/cve-2022-22968
www.oracle.com/security-alerts/cpujul2022.html
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N