Fluid Attacks Database

Description

Log entry injection in Spring Framework In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-core	>=5.3.0 <5.3.14 \|\| >=5.2.0 <5.2.19	5.3.14, 5.2.19

Aliases

1. CVE-2021-220602. NVD-2021-220603. OSV-DEBIAN-2021-220604. OSV-2021-220605. GCVE-2021-220606. SECURITY-TRACKER-CVE-2021-22060

References

1. https://tanzu.vmware.com/security/cve-2021-220602. https://www.oracle.com/security-alerts/cpuapr2022.html