CVE-2022-22970

Name
CVE-2022-22970
Description
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://tanzu.vmware.com/security/cve-2022-22970
Third Party Advisory https://security.netapp.com/advisory/ntap-20220616-0006/
Patch https://www.oracle.com/security-alerts/cpujul2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* spring_framework >= 5.3.0 <= 5.3.19
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* spring_framework >= None <= 5.2.21

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins edge-community 2.361.2-r0 Francesco Colista <fcolista@alpinelinux.org> fixed
jenkins 3.17-community 2.361.2-r0 Francesco Colista <fcolista@alpinelinux.org> fixed