Spring AOP vulnerability 

Issue date: 21-09-2021
Affects versions: 14.6

Security Issue ID

SECURITY-241

 

Affected Product Version(s)

14.6.0 and previous releases.


Severity 

medium


Description

CVE-2021-22118

 

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

CWE-269 Improper Privilege Management

CVSSv2:

  • Base Score: MEDIUM (4.6)
  • Vector: /AV:L/AC:L/Au:N/C/I/A

CVSSv3:

  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.