GHSA-gfwj-fwqj-fp3v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gfwj-fwqj-fp3v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gfwj-fwqj-fp3v/GHSA-gfwj-fwqj-fp3v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gfwj-fwqj-fp3v
- Aliases
- Published
- 2022-05-24T19:03:28Z
- Modified
- 2024-02-20T05:32:02.209050Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Privilege Management in Spring Framework
- Details
-
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
- Database specific
{ "nvd_published_at": "2021-05-27T15:15:00Z", "cwe_ids": [ "CWE-269", "CWE-668" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-06-22T18:24:11Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-22118
- https://github.com/spring-projects/spring-framework/issues/26931
- https://github.com/spring-projects/spring-framework/commit/0d0d75e25322d8161002d861fff3ec04ba8be5ac
- https://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d1
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20210713-0005
- https://spring.io/security/cve-2021-22118
- https://tanzu.vmware.com/security/cve-2021-22118
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Affected packages
Maven / org.springframework:spring-web
Package
- Name
- org.springframework:spring-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-web
Maven / org.springframework:spring-web
Package
- Name
- org.springframework:spring-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-web