CVE-2022-22968

CVE Database · CVE-2022-22968

CVE-2022-22968

· MEDIUMModified

CVSS v3.1

5.3

EPSS

5.41%

Published

Apr 14, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-178

Affected Products (12)

vmware · spring_framework (up to 5.2.0)vulnerable

vmware · spring_frameworkvulnerable

netapp · active_iq_unified_managervulnerable

netapp · cloud_secure_agentvulnerable

netapp · metrocluster_tiebreakervulnerable

netapp · snap_creator_frameworkvulnerable

netapp · snapmanager