Vulnerability Details : CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Vulnerability category: Denial of service

Published 2022-05-12 20:15:15

Updated 2022-10-07 13:17:11

Source VMware

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-22970

Probability of exploitation activity in the next 30 days: 0.11%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-22970

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:N/A:P	6.8	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H	1.6	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-22970

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Assigned by:
- nvd@nist.gov (Primary)
- security@vmware.com (Secondary)

References for CVE-2022-22970

https://security.netapp.com/advisory/ntap-20220616-0006/

CVE-2022-22970 Spring Framework Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url
https://tanzu.vmware.com/security/cve-2022-22970

CVE-2022-22970 | Security | VMware Tanzu
Mitigation;Vendor Advisory

Products affected by CVE-2022-22970

Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.2.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.3.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions from including (>=) 5.3.0 and up to, including, (<=) 5.3.19
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Vmware » Spring Framework
Versions up to, including, (<=) 5.2.21
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight » Version: N/A
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Linux
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Matching versions
Netapp » Brocade San Navigator » Version: N/A
cpe:2.3:a:netapp:brocade_san_navigator:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Secure Agent » Version: N/A
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
Matching versions