activity-based-security-framework icon indicating copy to clipboard operation
activity-based-security-framework copied to clipboard
verified publisher icon exadel-inc

CVE-2021-22096 (Medium) detected in spring-webmvc-5.3.2.jar, spring-web-5.3.2.jar

Open mend-bolt-for-github[bot] opened this issue 4 years ago • 0 comments

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-webmvc-5.3.2.jar, spring-web-5.3.2.jar

spring-webmvc-5.3.2.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /easy-abac-demo/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.2/spring-webmvc-5.3.2.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.4.1.jar (Root Library)
    • :x: spring-webmvc-5.3.2.jar (Vulnerable Library)
spring-web-5.3.2.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /easy-abac-demo/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.2/spring-web-5.3.2.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.4.1.jar (Root Library)
    • :x: spring-web-5.3.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-webmvc): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.12

Fix Resolution (org.springframework:spring-web): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.12

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Dec 02 '21 01:12 mend-bolt-for-github[bot]