Vulnerability disclosed in Spring Framework 

Issue date: 13-12-2021
Affects versions: 14.6, 13.4

Security Issue ID

SECURITY-268

 

Affected Product Version(s)

14.6.3, 13.4.10 and previous releases.


Severity 

medium


Description

CVE-2021-22096

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

CVSSv2:

  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSSv3:

  • Base Score: MEDIUM (4.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing,  14.7.0 or 13.4.11