CVE-2022-22968

CWE-178 CWE-20 — Improper Input Validation10 documents7 sources

Severity

5.3MEDIUM

EPSS

20.5%

top 4.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Vmware Spring Framework Oracle Mysql Enterprise Monitor

Timeline

PublishedApr 14

Latest updateOct 18

Description

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDvmware/spring_framework5.2.0 — 5.2.20+2

▶Mavenorg.springframework:spring-context5.3.0 — 5.3.19+1

▶CVEListV5spring_frameworkSpring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions

▶CVEListV5vmware/spring5.3.x — 5.3.41+2

▶NVDoracle/mysql_enterprise_monitor8.0.29

🔴Vulnerability Details

GHSA

Spring Framework DataBinder Case Sensitive Match Exception↗2024-10-18

▶

OSV

Improper handling of case sensitivity in Spring Framework↗2022-04-15

▶

GHSA

Improper handling of case sensitivity in Spring Framework↗2022-04-15

▶

OSV

CVE-2022-22968: In Spring Framework versions 5↗2022-04-14

▶

CVEList

CVE-2022-22968: In Spring Framework versions 5↗2022-04-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Samples (Spring Framework) — CVE-2022-22968↗2022-10-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Service Manager (Spring Framework) — CVE-2022-22968↗2022-07-15

▶

Red Hat

Framework: Data Binding Rules Vulnerability↗2022-04-13

▶

Debian

CVE-2022-22968: libspring-java - In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupport...↗2022

▶