Skip to content

CVE-2021-22060 (Medium) detected in spring-core-5.2.5.RELEASE.jar #426

Closed
Closed
CVE-2021-22060 (Medium) detected in spring-core-5.2.5.RELEASE.jar#426
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourcev1.3.0
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Feb 15, 2022

CVE-2021-22060 - Medium Severity Vulnerability

Vulnerable Library - spring-core-5.2.5.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.5.RELEASE/e207390ac307d282ed565db4df7046df04fc52b/spring-core-5.2.5.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.2.5.RELEASE.jar (Root Library)
    • spring-core-5.2.5.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 1a2bfe2a9f9a3c0a91ff373481b34ed1b816283c

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6gf2-pvqw-37ph

Release Date: 2022-01-10

Fix Resolution: org.springframework:spring-core:5.2.19, 5.3.14

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourcev1.3.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions