PT-2022-15751 · Unknown+1 · Spring Framework+1
Published
2022-05-12
·
Updated
2025-11-28
·
CVE-2022-22970
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Framework versions prior to 5.3.20
Spring Framework versions prior to 5.2.22
Spring Framework old unsupported versions
Description
The issue affects applications that handle file uploads and rely on data binding to set a
MultipartFile or javax.servlet.Part to a field in a model object, making them vulnerable to a Denial of Service (DoS) attack.Recommendations
For Spring Framework versions prior to 5.3.20, update to version 5.3.20 or later.
For Spring Framework versions prior to 5.2.22, update to version 5.2.22 or later.
For Spring Framework old unsupported versions, consider upgrading to a supported version to mitigate the risk of exploitation.
As a temporary workaround, consider restricting the use of file uploads or disabling the data binding feature for
MultipartFile or javax.servlet.Part until a patch is available.Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Spring Framework