CVE-2022-22968 : In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Published 2022-04-14 21:15:09

Updated 2022-10-19 15:15:02

Source VMware

View at NVD, CVE.org

Products affected by CVE-2022-22968

Oracle » Mysql Enterprise Monitor
Versions up to, including, (<=) 8.0.29
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.2.0 and up to, including, (<=) 5.2.20
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions before (<) 5.2.0
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.3.0 and up to, including, (<=) 5.3.18
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Netapp » Snap Creator Framework » Version: N/A
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
Matching versions
Netapp » Metrocluster Tiebreaker » Version: N/A For Clustered Data Ontap
cpe:2.3:a:netapp:metrocluster_tiebreaker:-:*:*:*:*:clustered_data_ontap:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For Oracle
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For SAP
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Linux
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Matching versions
Netapp » Cloud Secure Agent » Version: N/A
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-22968

EPSS FAQ

31.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-22968

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-22968

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-22968

https://security.netapp.com/advisory/ntap-20220602-0004/

CVE-2022-22968 Spring Framework Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22968

CVE-2022-22968 | Security | VMware Tanzu
Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-22968

Products affected by CVE-2022-22968

Exploit prediction scoring system (EPSS) score for CVE-2022-22968

CVSS scores for CVE-2022-22968

CWE ids for CVE-2022-22968

References for CVE-2022-22968