Fluid Attacks Database

Description

Allocation of Resources Without Limits or Throttling in Spring Framework In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-messaging	>=5.3.0 <5.3.20 \|\| >=0 <5.2.22.release	5.3.20, 5.2.22.release
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-core	>=0 <=5.2.21.release \|\| >=5.3.0 <5.3.20	5.2.22.release, 5.3.20

Aliases

1. CVE-2022-229712. NVD-2022-229713. OSV-DEBIAN-2022-229714. OSV-2022-229715. GHSA-rqph-vqwm-22vc6. GCVE-2022-229717. SECURITY-TRACKER-CVE-2022-229718. TANZU-cve-2022-22971

References

1. https://github.com/tchize/CVE-2022-229712. https://github.com/spring-projects/spring-framework/commit/159a99bbafdd6c01871228113d7042c3f83f360f3. https://github.com/spring-projects/spring-framework/commit/dc2947c52df18d5e99cad03383f7d6ba13d031fd4. https://security.netapp.com/advisory/ntap-20220616-00035. https://tanzu.vmware.com/security/cve-2022-229716. https://www.oracle.com/security-alerts/cpujul2022.html