Multiple Spring Vulnerabilities, June 2022

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-319, 320, and 327

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions

Severity

medium

Description

CVE-2022-22950, CVE-2022-22965, CVE-2022-22968

Several vulnerabilities have been reported related to the Spring Framework's handling of expressions and data binding. These features of Spring are not used by brXM, so the product is not directly vulnerable. However, these features may have been used by customer project code.

Instructions

Update to the latest version. We also advise to check your project for a vulnerable customization using Spring SpEL expressions or data binding with untrusted input data.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Multiple Spring Vulnerabilities, June 2022