Improper Privilege Management in Spring Framework

GHSA-gfwj-fwqj-fp3v · CVE-2021-22118

Published May 24, 2022 · Modified Feb 20, 2024

Description

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-22118
WEB https://github.com/spring-projects/spring-framework/issues/26931
WEB https://github.com/spring-projects/spring-framework/commit/0d0d75e25322d8161002d861fff3ec04ba8be5ac
WEB https://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d1
PACKAGE https://github.com/spring-projects/spring-framework
WEB https://security.netapp.com/advisory/ntap-20210713-0005
WEB https://spring.io/security/cve-2021-22118
WEB https://tanzu.vmware.com/security/cve-2021-22118
WEB https://www.oracle.com//security-alerts/cpujul2021.html
WEB https://www.oracle.com/security-alerts/cpuapr2022.html
WEB https://www.oracle.com/security-alerts/cpujan2022.html
WEB https://www.oracle.com/security-alerts/cpujul2022.html
WEB https://www.oracle.com/security-alerts/cpuoct2021.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes