CVE-2022-22970 : In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uplo

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Published 2022-05-12 20:15:15

Updated 2022-10-07 13:17:11

Source VMware

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2022-22970

Probability of exploitation activity in the next 30 days: 0.45%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-22970

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:N/A:P	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H	1.6	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-22970

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Assigned by:
- nvd@nist.gov (Primary)
- security@vmware.com (Secondary)

References for CVE-2022-22970

https://security.netapp.com/advisory/ntap-20220616-0006/

CVE-2022-22970 Spring Framework Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url
https://tanzu.vmware.com/security/cve-2022-22970

CVE-2022-22970 | Security | VMware Tanzu
Mitigation;Vendor Advisory

Products affected by CVE-2022-22970

Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.2.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.3.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.3.0 and up to, including, (<=) 5.3.19
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions up to, including, (<=) 5.2.21
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight » Version: N/A
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Linux
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Matching versions
Netapp » Brocade San Navigator » Version: N/A
cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Secure Agent » Version: N/A
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-22970

Exploit prediction scoring system (EPSS) score for CVE-2022-22970

CVSS scores for CVE-2022-22970

CWE ids for CVE-2022-22970

References for CVE-2022-22970

Products affected by CVE-2022-22970