Vulnerability disclosed in Spring Framework 

Issue date: 04-04-2022
Affects versions: 14.7, 13.4

Security Issue ID

SECURITY-290

 

Affected Product Version(s)

14.7.3, 13.4.14 and previous releases.


Severity 

Medium


Description

CVE-2021-22060  suppress

 

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

NVD-CWE-noinfo

CVSSv2:

  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I/A:N

CVSSv3:

  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 14.7.5 or 13.4.16.