CVE-2021-22096
First published: Thu Oct 28 2021(Updated: )
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ovirt-dependencies | <0:4.5.2-1.el8e | 0:4.5.2-1.el8e |
| VMware Spring Framework | >=5.2.0<=5.2.17 | |
| VMware Spring Framework | >=5.3.0<=5.3.10 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Management Services For Element Software And Netapp Hci | ||
| Netapp Metrocluster Tiebreaker Clustered Data Ontap | ||
| NetApp Snap Creator Framework | ||
| Netapp Snapcenter | ||
| Oracle Communications Cloud Native Core Console | =1.9.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.15.0 | |
| maven/org.springframework:spring | >=5.3.0<=5.3.10 | 5.3.11 |
| maven/org.springframework:spring | >=5.2.0<=5.2.17 | 5.2.18 |
| maven/org.springframework:spring-core | >=5.2.0<=5.2.17 | 5.2.18 |
| maven/org.springframework:spring-core | >=5.3.0<=5.3.10 | 5.3.11 |
| IBM QRadar SIEM | <=7.5.0 GA | |
| IBM QRadar SIEM | <=7.4.3 GA - 7.4.3 FP4 | |
| IBM QRadar SIEM | <=7.3.3 GA - 7.3.3 FP10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-22096 https://nvd.nist.gov/vuln/detail/CVE-2021-22096
- https://bugzilla.redhat.com/show_bug.cgi?id=2034584
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5555
- https://access.redhat.com/errata/RHSA-2022:6393
- https://access.redhat.com/errata/RHSA-2022:1110
- https://access.redhat.com/errata/RHSA-2022:1108
- https://access.redhat.com/security/cve/CVE-2021-22096
- https://tanzu.vmware.com/security/cve-2021-22096
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2034585
- https://access.redhat.com/security/cve/cve-2021-22096
- https://security.netapp.com/advisory/ntap-20211125-0005/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22096
- https://security.netapp.com/advisory/ntap-20211125-0005
- https://github.com/advisories/GHSA-rfmp-97jj-h8m6 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/212430
- https://www.ibm.com/support/pages/node/6574787 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-22096?
CVE-2021-22096 is a vulnerability in the Spring Framework that allows a remote attacker to bypass security restrictions and insert additional log entries.
What versions of the Spring Framework are affected by CVE-2021-22096?
Versions 5.3.0 - 5.3.10 and 5.2.0 - 5.2.17 of the Spring Framework are affected.
How can an attacker exploit CVE-2021-22096?
An attacker can exploit CVE-2021-22096 by sending a specially-crafted input to bypass security restrictions and insert additional log entries.
What is the severity of CVE-2021-22096?
CVE-2021-22096 has a severity rating of medium.
Where can I find more information about CVE-2021-22096?
You can find more information about CVE-2021-22096 on the VMware Security Advisory, Red Hat Bugzilla, and Red Hat Errata websites.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22096
- agent/weakness
- agent/severity
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rfmp-97jj-h8m6
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/5.2.0
- version/vmware spring framework/5.2.17
- version/vmware spring framework/5.3.0
- version/vmware spring framework/5.3.10
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp management services for element software and netapp hci
- canonical/netapp metrocluster tiebreaker clustered data ontap
- canonical/netapp snap creator framework
- canonical/netapp snapcenter
- vendor/oracle
- canonical/oracle communications cloud native core console
- version/oracle communications cloud native core console/1.9.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.15.0
- package-manager/maven
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5.0 ga
- version/ibm qradar siem/7.4.3 ga - 7.4.3 fp4
- version/ibm qradar siem/7.3.3 ga - 7.3.3 fp10