Improper Output Neutralization for Logs in Spring Framework

GHSA-rfmp-97jj-h8m6 · CVE-2021-22096

Published May 24, 2022 · Modified Jul 19, 2024

Description

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

References

4.3 / 10

MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Packages

Maven/org.springframework:spring

Fix 5.2.18, 5.3.11

Introduced 5.2.0, 5.3.0

28 affected versions

5.2.0.RELEASE5.2.1.RELEASE5.2.10.RELEASE5.2.11.RELEASE5.2.12.RELEASE5.2.13.RELEASE5.2.14.RELEASE5.2.15.RELEASE5.2.16.RELEASE5.2.17.RELEASE5.2.2.RELEASE5.2.3.RELEASE5.2.5.RELEASE5.2.6.RELEASE5.2.7.RELEASE5.2.8.RELEASE5.2.9.RELEASE5.3.05.3.15.3.10 +8 more

Maven/org.springframework:spring-core

Fix 5.2.18, 5.3.11

Introduced 5.2.0, 5.3.0

29 affected versions

5.2.0.RELEASE5.2.1.RELEASE5.2.10.RELEASE5.2.11.RELEASE5.2.12.RELEASE5.2.13.RELEASE5.2.14.RELEASE5.2.15.RELEASE5.2.16.RELEASE5.2.17.RELEASE5.2.2.RELEASE5.2.3.RELEASE5.2.4.RELEASE5.2.5.RELEASE5.2.6.RELEASE5.2.7.RELEASE5.2.8.RELEASE5.2.9.RELEASE5.3.05.3.1 +9 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes