CVE-2021-22096 (Medium) detected in multiple libraries - autoclosed

[mend-bolt-for-github]

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-core-4.3.25.RELEASE.jar, spring-webmvc-4.3.25.RELEASE.jar, spring-web-4.3.25.RELEASE.jar

spring-core-4.3.25.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.25.RELEASE/spring-core-4.3.25.RELEASE.jar

Dependency Hierarchy:

• spring-security-ldap-4.2.18.RELEASE.jar (Root Library)
  • ❌ spring-core-4.3.25.RELEASE.jar (Vulnerable Library)

spring-webmvc-4.3.25.RELEASE.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.3.25.RELEASE/spring-webmvc-4.3.25.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.3.25.RELEASE.jar (Vulnerable Library)

spring-web-4.3.25.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.25.RELEASE/spring-web-4.3.25.RELEASE.jar

Dependency Hierarchy:

• core-3.15.44.jar (Root Library)
  • ❌ spring-web-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: a172d7c5c9a732c7b02c1e2c1bca72d1a7e806b4

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework.security:spring-security-ldap): 5.7.0

Fix Resolution (org.springframework:spring-webmvc): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0

---

Step up your Open Source Security Game with Mend here

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.