Fluid Attacks Database

Description

Denial of service in Spring Framework In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring-beans	>=0 <5.2.22.release \|\| >=5.3.0 <5.3.20	5.2.22.release, 5.3.20
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-core	>=0 <=5.2.21.release \|\| >=5.3.0 <5.3.20	5.2.22.release, 5.3.20
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-

Aliases

1. CVE-2022-229702. NVD-2022-229703. OSV-2022-229704. OSV-DEBIAN-2022-229705. GHSA-hh26-6xwr-ggv76. GCVE-2022-229707. SECURITY-TRACKER-CVE-2022-229708. TANZU-cve-2022-22970

References

1. https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf22. https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd5833. https://security.netapp.com/advisory/ntap-20220616-00064. https://tanzu.vmware.com/security/cve-2022-229705. https://www.oracle.com/security-alerts/cpujul2022.html6. https://github.com/Performant-Labs/CVE-2022-22970