2075441 – (CVE-2022-22968) CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability

Bug 2075441 (CVE-2022-22968) - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability

Summary: CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22968
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2075446
TreeView+	depends on / blocked

Reported:	2022-04-14 08:32 UTC by Avinash Hanwate
Modified:	2022-07-07 14:23 UTC (History)
CC List:	74 users (show)
Fixed In Version:	Spring Framework 5.3.19, Spring Framework 5.2.21
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-06-16 19:08:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5101	0	None	None	None	2022-06-16 14:54:46 UTC
Red Hat Product Errata	RHSA-2022:5532	0	None	None	None	2022-07-07 14:23:09 UTC

Description Avinash Hanwate 2022-04-14 08:32:14 UTC

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Comment 7 errata-xmlrpc 2022-06-16 14:54:41 UTC

This issue has been addressed in the following products:

  Red Hat AMQ 7.10.0

Via RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101

Comment 8 Product Security DevOps Team 2022-06-16 19:08:01 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22968

Comment 9 errata-xmlrpc 2022-07-07 14:23:04 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
alazarot
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmoulliard
dandread
darran.lofthouse
dkreling
dosoudil
drieden
emingora
etirelli
ewolinet
fjuma
gmalinko
gsmet
hamadhan
hbraun
ibek
ikanello
iweiss
janstey
jcantril
jnethert
jochrist
jolee
jrokos
jross
jschatte
jstastny
jwon
krathod
kverlaen
lgao
lthon
mnovotny
mosmerov
msochure
msvehla
mszynkie
nwallace
pantinor
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
rareddy
rguimara
rrajasek
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
sthorger
swoodman
tmielke
tom.jenkinson
tzimanyi