Fluid Attacks Database

Description

Improper Privilege Management in Spring Framework In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring-core	>=5.2.0 <=5.2.14 \|\| >=5.3.0 <=5.3.6	5.2.15, 5.3.7
maven	org.springframework:spring-web	>=5.2.0 <5.2.15 \|\| >=5.3.0 <5.3.7	5.2.15, 5.3.7
maven	org.springframework:spring-webflux	>=5.2.0 <5.2.15 \|\| >=5.3.0 <5.3.7	5.2.15.release, 5.3.7

Aliases

1. CVE-2021-221182. NVD-2021-221183. OSV-2021-221184. GHSA-gfwj-fwqj-fp3v5. GCVE-2021-221186. TANZU-cve-2021-22118

References

1. https://security.netapp.com/advisory/ntap-20210713-0005/2. https://www.oracle.com//security-alerts/cpujul2021.html3. https://www.oracle.com/security-alerts/cpuapr2022.html4. https://www.oracle.com/security-alerts/cpujan2022.html5. https://www.oracle.com/security-alerts/cpuoct2021.html6. https://github.com/spring-projects/spring-framework/issues/269317. https://github.com/spring-projects/spring-framework/commit/0d0d75e25322d8161002d861fff3ec04ba8be5ac8. https://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d19. https://security.netapp.com/advisory/ntap-20210713-000510. https://spring.io/security/cve-2021-2211811. https://tanzu.vmware.com/security/cve-2021-2211812. https://www.oracle.com/security-alerts/cpujul2022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.