Vulnerability Details : CVE-2021-22060
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Exploit prediction scoring system (EPSS) score for CVE-2021-22060
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-22060
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
[email protected] |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
[email protected] |
References for CVE-2021-22060
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory
-
https://tanzu.vmware.com/security/cve-2021-22060
Vendor Advisory
Products affected by CVE-2021-22060
- cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*