CVE-2021-22096 : In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Published 2021-10-28 16:15:08

Updated 2022-04-28 14:53:08

Source VMware

View at NVD, CVE.org

Products affected by CVE-2021-22096

Oracle » Communications Cloud Native Core Console » Version: 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Service Communication Proxy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.3.0 and up to, including, (<=) 5.3.10
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.2.0 and up to, including, (<=) 5.2.17
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Netapp » Snap Creator Framework » Version: N/A
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
Matching versions
Netapp » Metrocluster Tiebreaker » Version: N/A For Clustered Data Ontap
cpe:2.3:a:netapp:metrocluster_tiebreaker:-:*:*:*:*:clustered_data_ontap:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Linux
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*
Matching versions
Netapp » Management Services For Element Software And Netapp Hci » Version: N/A
cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-22096

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 43 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22096

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-22096

CWE-117 Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Assigned by: security@vmware.com (Secondary)

References for CVE-2021-22096

https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Third Party Advisory

CVEs referencing this url
https://tanzu.vmware.com/security/cve-2021-22096

CVE-2021-22096: Log Injection in Spring Framework | Security | VMware Tanzu
Vendor Advisory
https://security.netapp.com/advisory/ntap-20211125-0005/

CVE-2021-22096 Spring Framework Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-22096

Products affected by CVE-2021-22096

Exploit prediction scoring system (EPSS) score for CVE-2021-22096

CVSS scores for CVE-2021-22096

CWE ids for CVE-2021-22096

References for CVE-2021-22096