CVE-2022-22968

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-22968
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22968.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-22968
Aliases
Downstream
Published
2022-04-14T21:15:08.643Z
Modified
2025-11-19T17:35:17.564951Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

References

Affected packages

Git / github.com/spring-projects/spring-framework

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
927b8c15ef20eaaa4002d4b2170cc536a6d6aa35

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22968.json"