CVE-2021-22096

CWE-11710 documents7 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 55.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core Service Communication Proxy

Timeline

PublishedOct 28

Latest updateMay 24

Description

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶Mavenorg.springframework:spring5.2.0 — 5.2.18+1

▶Mavenorg.springframework:spring-core5.3.0 — 5.3.11+1

▶NVDvmware/spring_framework5.2.0 — 5.2.17+1

▶CVEListV5spring_frameworkSpring Framework versions 5.3.x prior to 5.3.12+, 5.2.x prior to 5.2.18+ and all older unsupported versions are impacted.

▶NVDoracle/communications_cloud_native_core_console1.9.0

🔴Vulnerability Details

OSV

Improper Output Neutralization for Logs in Spring Framework↗2022-05-24

▶

GHSA

Improper Output Neutralization for Logs in Spring Framework↗2022-05-24

▶

GHSA

Log entry injection in Spring Framework↗2022-01-12

▶

CVEList

CVE-2021-22096: In Spring Framework versions 5↗2021-10-28

▶

OSV

CVE-2021-22096: In Spring Framework versions 5↗2021-10-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: CNC Console (Spring boot) — CVE-2021-22096↗2022-04-15

▶

Red Hat

springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)↗2022-01-10

▶

Red Hat

springframework: malicious input leads to insertion of additional log entries↗2021-10-28

▶

Debian

CVE-2021-22096: libspring-java - In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupport...↗2021

▶