CVE-2022-22968

high-risk

Published 2022-04-14

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Do I need to act?

20.5% chance of exploitation in next 30 days

EPSS score — higher than 79% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (10)

Spring Framework

Active Iq Unified Manager

Cloud Secure Agent

Metrocluster Tiebreaker

Snap Creator Framework

Snapmanager

Mysql Enterprise Monitor

Affected Vendors

Oracle Vmware Netapp

References (6)

Third Party Advisory https://security.netapp.com/advisory/ntap-20220602-0004/

Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22968

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220602-0004/

Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22968

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

high-risk

Severity 21/34 · High

Exploitability 14/34 · Moderate

Exposure 16/34 · Moderate