CVE-2022-22968: Input Validation
First published: Wed Apr 13 2022(Updated: )
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Spring Framework | <5.3.19 | 5.3.19 |
| redhat/Spring Framework | <5.2.21 | 5.2.21 |
| VMware Spring Framework | <5.2.0 | |
| VMware Spring Framework | >=5.2.0<=5.2.20 | |
| VMware Spring Framework | >=5.3.0<=5.3.18 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Cloud Secure Agent | ||
| Netapp Metrocluster Tiebreaker Clustered Data Ontap | ||
| NetApp Snap Creator Framework | ||
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Oracle Mysql Enterprise Monitor | <=8.0.29 | |
| maven/org.springframework:spring-context | <5.2.21.RELEASE | 5.2.21.RELEASE |
| maven/org.springframework:spring-context | >=5.3.0<5.3.19 | 5.3.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-22968 https://nvd.nist.gov/vuln/detail/CVE-2022-22968 https://tanzu.vmware.com/security/cve-2022-22968
- https://bugzilla.redhat.com/show_bug.cgi?id=2075441
- https://access.redhat.com/errata/RHSA-2022:5101
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/security/cve/cve-2022-22968
- https://exchange.xforce.ibmcloud.com/vulnerabilities/224374
- https://www.ibm.com/support/pages/node/6615289 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2022-22968
- https://tanzu.vmware.com/security/cve-2022-22968
- https://security.netapp.com/advisory/ntap-20220602-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea
- https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7
- https://github.com/advisories/GHSA-g5mm-vmx4-3rg7 (Advisory)
- https://security.netapp.com/advisory/ntap-20220602-0004
Frequently Asked Questions
What is CVE-2022-22968?
CVE-2022-22968 is a vulnerability in the Spring Framework that allows insufficient protection of fields due to case sensitivity in data binding rules.
What is the severity of CVE-2022-22968?
CVE-2022-22968 has a severity rating of medium.
Which versions of Spring Framework are affected by CVE-2022-22968?
Spring Framework versions 5.3.0 - 5.3.18 and 5.2.0 - 5.2.20, as well as older unsupported versions, are affected by CVE-2022-22968.
How can I fix CVE-2022-22968?
To fix CVE-2022-22968, update your Spring Framework to version 5.3.19 or 5.2.21, depending on the version you are using.
Where can I find more information about CVE-2022-22968?
You can find more information about CVE-2022-22968 on the Red Hat website at the following links: [link1](https://access.redhat.com/errata/RHSA-2022:5101), [link2](https://access.redhat.com/security/cve/cve-2022-22968), [link3](https://access.redhat.com/errata/RHSA-2022:5532).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-22968
- agent/software-canonical-lookup
- agent/severity
- agent/description
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g5mm-vmx4-3rg7
- agent/references
- collector/github-advisory
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/5.2.0
- version/vmware spring framework/5.2.20
- version/vmware spring framework/5.3.0
- version/vmware spring framework/5.3.18
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud secure agent
- canonical/netapp metrocluster tiebreaker clustered data ontap
- canonical/netapp snap creator framework
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- vendor/oracle
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/8.0.29
- package-manager/maven