CVE-2022-22970

moderate-risk

Published 2022-05-12

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Do I need to act?

0.16% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (9)

Spring Framework

Financial Services Crime And Compliance Management Studio

Active Iq Unified Manager

Brocade San Navigator

Cloud Secure Agent

Oncommand Insight

Affected Vendors

Oracle Vmware Netapp

References (6)

Third Party Advisory https://security.netapp.com/advisory/ntap-20220616-0006/

Mitigation https://tanzu.vmware.com/security/cve-2022-22970

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220616-0006/

Mitigation https://tanzu.vmware.com/security/cve-2022-22970

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 17/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 15/34 · Moderate