Spring AOP vulnerability

Issue date: 21-09-2021
Affects versions: 14.6

Security Issue ID

SECURITY-241

Affected Product Version(s)

14.6.0 and previous releases.

Severity

medium

Description

CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

CWE-269 Improper Privilege Management

CVSSv2:

Base Score: MEDIUM (4.6)
Vector: /AV:L/AC:L/Au:N/C/I/A

CVSSv3:

Base Score: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Spring AOP vulnerability