CVE-2022-22970 — Allocation of Resources Without Limits or Throttling in Vmware Spring Framework

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 62.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework Oracle Financial Services Crime AND Compliance Management Studio

Timeline

PublishedMay 12

Latest updateJan 15

Description

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶NVDvmware/spring_framework5.3.0 — 5.3.19+1

▶CVEListV5vmware/spring_frameworkSpring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Denial of service in Spring Framework↗2022-05-13

▶

GHSA

Denial of service in Spring Framework↗2022-05-13

▶

CVEList

CVE-2022-22970: In spring framework versions prior to 5↗2022-05-12

▶

OSV

CVE-2022-22970: In spring framework versions prior to 5↗2022-05-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Signaling (Spring Framework) — CVE-2022-22970↗2023-01-15

▶

Red Hat

springframework: DoS via data binding to multipartFile or servlet part↗2022-05-11

▶

Debian

CVE-2022-22970: libspring-java - In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported vers...↗2022

▶