2087272 – (CVE-2022-22970) CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part

Bug 2087272 (CVE-2022-22970) - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part

Summary: CVE-2022-22970 springframework: DoS via data binding to multipartFile or serv...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22970
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2087273
Blocks:	2087215
TreeView+	depends on / blocked

Reported:	2022-05-17 18:03 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-05-17 13:58 UTC (History)
CC List:	79 users (show)
Fixed In Version:	springframework 5.3.20, springframework 5.2.22
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service (DoS) attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Clone Of:
Environment:
Last Closed:	2022-07-07 20:40:05 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5532	None	None	None	2022-07-07 14:23:21 UTC
Red Hat Product Errata	RHSA-2023:1661	None	None	None	2023-04-05 13:35:08 UTC
Red Hat Product Errata	RHSA-2023:3185	None	None	None	2023-05-17 13:58:55 UTC

Description Guilherme de Almeida Suckevicz 2022-05-17 18:03:34 UTC

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Reference:
https://tanzu.vmware.com/security/cve-2022-22970

Comment 1 Guilherme de Almeida Suckevicz 2022-05-17 18:03:52 UTC

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 2087273]

Comment 3 errata-xmlrpc 2022-07-07 14:23:16 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 4 Product Security DevOps Team 2022-07-07 20:40:01 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22970

Comment 8 errata-xmlrpc 2023-04-05 13:35:04 UTC

This issue has been addressed in the following products:

  AMQ Broker 7.11.0

Via RHSA-2023:1661 https://access.redhat.com/errata/RHSA-2023:1661

Comment 9 errata-xmlrpc 2023-05-17 13:58:51 UTC

This issue has been addressed in the following products:

  AMQ Broker 7.10.3

Via RHSA-2023:3185 https://access.redhat.com/errata/RHSA-2023:3185

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
alazarot
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmoulliard
dandread
darran.lofthouse
dchen
dkreling
dosoudil
drieden
emingora
etirelli
extras-orphan
fjuma
ggaughan
gmalinko
gsmet
hamadhan
hbraun
ibek
ikanello
iweiss
janstey
java-sig-commits
jnethert
jochrist
jolee
jrokos
jross
jschatte
jstastny
jwon
krathod
kverlaen
lgao
lthon
mnovotny
mokumar
mosmerov
msochure
msvehla
mszynkie
nwallace
pantinor
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
puntogil
rareddy
rguimara
rkieley
rrajasek
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
sthorger
swoodman
tom.jenkinson
tzimanyi