CVE-2022-22970

CVE-2022-22970

Name

CVE-2022-22970

Description

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://tanzu.vmware.com/security/cve-2022-22970
Third Party Advisory	https://security.netapp.com/advisory/ntap-20220616-0006/
Patch	https://www.oracle.com/security-alerts/cpujul2022.html

Type

URI

MISC

https://tanzu.vmware.com/security/cve-2022-22970

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220616-0006/

Patch

https://www.oracle.com/security-alerts/cpujul2022.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:vmware:spring_framework::::::::`	spring_framework	>= 5.3.0	<= 5.3.19
`cpe:2.3:a:vmware:spring_framework::::::::`	spring_framework	>= None	<= 5.2.21

CPE URI

Source package

Min version

Max version

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

spring_framework

>= 5.3.0

<= 5.3.19

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

spring_framework

>= None

<= 5.2.21

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
jenkins	edge-community	2.361.2-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
jenkins	3.22-community	2.361.2-r0	None	fixed
jenkins	3.21-community	2.361.2-r0	None	fixed
jenkins	3.20-community	2.361.2-r0	None	fixed
jenkins	3.19-community	2.361.2-r0	None	fixed
jenkins	3.18-community	2.361.2-r0	None	fixed
jenkins	3.17-community	2.361.2-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

jenkins

edge-community

2.361.2-r0

Francesco Colista <fcolista@alpinelinux.org>

fixed

jenkins

3.22-community