CVE-2021-22118
First published: Tue May 25 2021(Updated: )
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework:spring-web | >=5.3.0<=5.3.6 | 5.3.7 |
| maven/org.springframework:spring-web | >=5.2.0<=5.2.14 | 5.2.15 |
| redhat/spring-framework | <5.3.7 | 5.3.7 |
| redhat/spring-framework | <5.2.15 | 5.2.15 |
| IBM DRM | <=2.0.6 | |
| Spring Framework | >=5.2.0<5.2.15 | |
| Spring Framework | >=5.3.0<5.3.7 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| oracle communications brm - elastic charging engine | =12.0.0.3 | |
| oracle communications Cloud native core binding support function | =1.9.0 | |
| oracle communications Cloud native core policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.6.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.1.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.2.0<=8.2.3 | |
| oracle communications element manager | >=8.2.0<=8.2.4.0 | |
| Oracle Communications Interactive Session Recorder | =6.4 | |
| Oracle Communications Network Integrity | =7.3.6 | |
| oracle communications session report manager | >=8.0.0<=8.2.4.0 | |
| oracle communications session route manager | >=8.0.0<=8.2.4.0 | |
| Oracle Communications Unified Inventory Management | =7.4.1 | |
| Oracle Communications Unified Inventory Management | =7.4.2 | |
| Oracle Communications Unified Inventory Management | =7.5.0 | |
| Oracle Documaker | >=12.6.0<=12.6.4 | |
| Oracle Enterprise Data Quality | =12.2.1.3.0 | |
| Oracle Enterprise Data Quality | =12.2.1.4.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.8<=8.1.1 | |
| Oracle Healthcare Data Repository | =8.1.0 | |
| oracle insurance policy administration | >=11.0<=11.3.1 | |
| Oracle Insurance Rules Palette | =11.0.2 | |
| Oracle Insurance Rules Palette | =11.1.0 | |
| Oracle Insurance Rules Palette | =11.2.7 | |
| Oracle Insurance Rules Palette | =11.3.0 | |
| Oracle Insurance Rules Palette | =11.3.1 | |
| MySQL Enterprise Monitor | <=8.0.25 | |
| Oracle Retail Assortment Planning | =16.0 | |
| Oracle Customer Management and Segmentation Foundation | >=16.0<=19.0 | |
| oracle retail financial integration | =14.1.3.2 | |
| oracle retail financial integration | =15.0.3.1 | |
| oracle retail financial integration | =16.0.3 | |
| Oracle Retail Integration Bus | =14.1.3.2 | |
| Oracle Retail Integration Bus | =15.0.3.1 | |
| Oracle Retail Integration Bus | =16.0.3 | |
| Oracle Retail Merchandising System | =19.0.1 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Predictive Application Server | =14.1.3 | |
| Oracle Retail Predictive Application Server | =15.0.3 | |
| Oracle Retail Predictive Application Server | =16.0.3 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| netapp hci | ||
| netapp management services for element software |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-22118
- https://security.netapp.com/advisory/ntap-20210713-0005/
- https://tanzu.vmware.com/security/cve-2021-22118
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/spring-projects/spring-framework/issues/26931
- https://github.com/spring-projects/spring-framework/commit/0d0d75e25322d8161002d861fff3ec04ba8be5ac
- https://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d1
- https://spring.io/security/cve-2021-22118
- https://github.com/advisories/GHSA-gfwj-fwqj-fp3v (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202705
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2021-22118
- https://bugzilla.redhat.com/show_bug.cgi?id=1974854
- https://www.cve.org/CVERecord?id=CVE-2021-22118 https://nvd.nist.gov/vuln/detail/CVE-2021-22118 https://github.com/spring-projects/spring-framework/issues/26931 https://tanzu.vmware.com/security/cve-2021-22118
- https://access.redhat.com/errata/RHSA-2021:3205
Parent vulnerabilities
(Appears in the following advisories)
- collector/github-advisory-latest
- alias/GHSA-gfwj-fwqj-fp3v
- alias/CVE-2021-22118
- collector/github-advisory
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6
- vendor/vmware
- canonical/spring framework
- version/spring framework/5.2.0
- version/spring framework/5.3.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.3
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.9.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.6.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.14.0
- canonical/oracle communications diameter intelligence hub
- version/oracle communications diameter intelligence hub/8.0.0
- version/oracle communications diameter intelligence hub/8.1.0
- version/oracle communications diameter intelligence hub/8.2.0
- version/oracle communications diameter intelligence hub/8.2.3
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.4.0
- canonical/oracle communications interactive session recorder
- version/oracle communications interactive session recorder/6.4
- canonical/oracle communications network integrity
- version/oracle communications network integrity/7.3.6
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4.0
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.4.1
- version/oracle communications unified inventory management/7.4.2
- version/oracle communications unified inventory management/7.5.0
- canonical/oracle documaker
- version/oracle documaker/12.6.0
- version/oracle documaker/12.6.4
- canonical/oracle enterprise data quality
- version/oracle enterprise data quality/12.2.1.3.0
- version/oracle enterprise data quality/12.2.1.4.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.8
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle healthcare data repository
- version/oracle healthcare data repository/8.1.0
- canonical/oracle insurance policy administration
- version/oracle insurance policy administration/11.0
- version/oracle insurance policy administration/11.3.1
- canonical/oracle insurance rules palette
- version/oracle insurance rules palette/11.0.2
- version/oracle insurance rules palette/11.1.0
- version/oracle insurance rules palette/11.2.7
- version/oracle insurance rules palette/11.3.0
- version/oracle insurance rules palette/11.3.1
- canonical/mysql enterprise monitor
- version/mysql enterprise monitor/8.0.25
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/16.0
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/16.0
- version/oracle customer management and segmentation foundation/19.0
- canonical/oracle retail financial integration
- version/oracle retail financial integration/14.1.3.2
- version/oracle retail financial integration/15.0.3.1
- version/oracle retail financial integration/16.0.3
- canonical/oracle retail integration bus
- version/oracle retail integration bus/14.1.3.2
- version/oracle retail integration bus/15.0.3.1
- version/oracle retail integration bus/16.0.3
- canonical/oracle retail merchandising system
- version/oracle retail merchandising system/19.0.1
- canonical/oracle retail order broker
- version/oracle retail order broker/16.0
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/14.1.3
- version/oracle retail predictive application server/15.0.3
- version/oracle retail predictive application server/16.0.3
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- vendor/netapp
- canonical/netapp hci
- canonical/netapp management services for element software