Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNW1tLXZteDQtM3JnN807dA
Improper handling of case sensitivity in Spring Framework
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.
Permalink: https://github.com/advisories/GHSA-g5mm-vmx4-3rg7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNW1tLXZteDQtM3JnN807dA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-g5mm-vmx4-3rg7, CVE-2022-22968
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22968
- https://tanzu.vmware.com/security/cve-2022-22968
- https://security.netapp.com/advisory/ntap-20220602-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea
- https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7
- https://github.com/advisories/GHSA-g5mm-vmx4-3rg7
Blast Radius: 40.2
Affected Packages
maven:org.springframework:spring-context
Dependent packages: 10,396Dependent repositories: 226,556
Downloads:
Affected Version Ranges: < 5.2.21, >= 5.3.0, < 5.3.19
Fixed in: 5.2.21, 5.3.19
All affected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18
All unaffected versions: 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6