GHSA-rfmp-97jj-h8m6

Source

https://github.com/advisories/GHSA-rfmp-97jj-h8m6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rfmp-97jj-h8m6/GHSA-rfmp-97jj-h8m6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rfmp-97jj-h8m6

Aliases

CVE-2021-22096

Published

2022-05-24T19:19:04Z

Modified

2024-07-19T20:22:49.022769Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Improper Output Neutralization for Logs in Spring Framework

Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Database specific

{
    "nvd_published_at": "2021-10-28T16:15:00Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-117"
    ],
    "github_reviewed_at": "2022-06-22T18:25:00Z",
    "github_reviewed": true
}

References

Affected packages

Maven

org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.11

Affected versions

5.*

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

Database specific

last_known_affected_version_range

"<= 5.3.10"

org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.18

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.2.4.RELEASE

5.2.5.RELEASE

5.2.6.RELEASE

5.2.7.RELEASE

5.2.8.RELEASE

5.2.9.RELEASE

5.2.10.RELEASE

5.2.11.RELEASE

5.2.12.RELEASE

5.2.13.RELEASE

5.2.14.RELEASE

5.2.15.RELEASE

5.2.16.RELEASE

5.2.17.RELEASE

Database specific

last_known_affected_version_range

"<= 5.2.17"

org.springframework:spring

Package

Name: org.springframework:spring; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.18

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.2.5.RELEASE

5.2.6.RELEASE

5.2.7.RELEASE

5.2.8.RELEASE

5.2.9.RELEASE

5.2.10.RELEASE

5.2.11.RELEASE

5.2.12.RELEASE

5.2.13.RELEASE

5.2.14.RELEASE

5.2.15.RELEASE

5.2.16.RELEASE

5.2.17.RELEASE

Database specific

last_known_affected_version_range

"<= 5.2.17"

org.springframework:spring

Package

Name: org.springframework:spring; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.11

Affected versions

5.*

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

Database specific

last_known_affected_version_range

"<= 5.3.10"