PT-2022-15748 · Unknown+1 · Spring Framework+1
Ahmed Alwardani
·
Published
2022-04-14
·
Updated
2024-10-22
·
CVE-2022-22968
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Framework versions 5.3.0 through 5.3.18
Spring Framework versions 5.2.0 through 5.2.20
Spring Framework older unsupported versions
Description
The patterns for disallowedFields on a DataBinder in Spring Framework are case sensitive. This means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Recommendations
For Spring Framework versions 5.3.0 through 5.3.18, update to version 5.3.19 or later.
For Spring Framework versions 5.2.0 through 5.2.20, update to version 5.2.21 or later.
For Spring Framework older unsupported versions, there is no information about a newer version that contains a fix for this issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Spring Framework