In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
References
Link | Resource |
---|---|
https://security.netapp.com/advisory/ntap-20210713-0005/ | Third Party Advisory |
https://tanzu.vmware.com/security/cve-2021-22118 | Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
25 Oct 2022, 20:57
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-668 | |
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 May 2022, 14:06
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:* |
|
First Time |
Oracle communications Diameter Intelligence Hub
Oracle communications Network Integrity Oracle commerce Guided Search |
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Mar 2022, 18:13
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.2.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:* |
|
First Time |
Oracle utilities Testing Accelerator
Oracle insurance Rules Palette Oracle financial Services Analytical Applications Infrastructure Oracle communications Cloud Native Core Policy Oracle communications Cloud Native Core Service Communication Proxy Oracle retail Customer Management And Segmentation Foundation Oracle communications Unified Inventory Management Oracle communications Cloud Native Core Security Edge Protection Proxy Oracle communications Cloud Native Core Binding Support Function Oracle communications Cloud Native Core Unified Data Repository |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Dec 2021, 19:36
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210713-0005/ - Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:* cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:* |
20 Oct 2021, 11:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jul 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Jun 2021, 13:54
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* |
07 Jun 2021, 23:46
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://tanzu.vmware.com/security/cve-2021-22118 - Third Party Advisory | |
CWE | CWE-269 | |
CPE | cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
27 May 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-05-27 15:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-22118
Mitre link : CVE-2021-22118
CVE.ORG link : CVE-2021-22118
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_security_edge_protection_proxy
- communications_diameter_intelligence_hub
- healthcare_data_repository
- communications_element_manager
- retail_merchandising_system
- communications_brm_-_elastic_charging_engine
- documaker
- communications_cloud_native_core_policy
- insurance_rules_palette
- retail_predictive_application_server
- financial_services_analytical_applications_infrastructure
- retail_order_broker
- mysql_enterprise_monitor
- communications_cloud_native_core_service_communication_proxy
- communications_session_report_manager
- insurance_policy_administration
- retail_assortment_planning
- communications_unified_inventory_management
- communications_network_integrity
- communications_cloud_native_core_unified_data_repository
- communications_cloud_native_core_binding_support_function
- enterprise_data_quality
- communications_interactive_session_recorder
- commerce_guided_search
- retail_financial_integration
- utilities_testing_accelerator
- retail_customer_management_and_segmentation_foundation
- retail_integration_bus
- communications_session_route_manager
netapp
- hci
- management_services_for_element_software
vmware
- spring_framework