CVE-2021-22118
CWE-269 — Improper Privilege ManagementCWE-668 — Exposure to Wrong SphereCWE-28112 documents7 sources
Severity
7.8HIGH
EPSS
0.3%
top 51.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 27
Latest updateJul 15
Description
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages32 packages
▶CVEListV5spring_frameworkSpring Framework versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7
Patches
🔴Vulnerability Details
4📋Vendor Advisories
7Oracle
▶
Oracle▶
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Spring Framework) — CVE-2021-22118↗2022-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: TMF API (Spring Framework) — CVE-2021-22118↗2022-01-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Controller (Spring Framework) — CVE-2021-22118↗2021-10-15
Oracle▶
Oracle Oracle Retail Applications Risk Matrix: PeopleSoft Integration Bugs (Spring Framework) — CVE-2021-22118↗2021-07-15