CVE-2021-22118

NameCVE-2021-22118
DescriptionIn Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libspring-java (PTS)stretch4.3.5-1fixed
stretch (security)4.3.5-1+deb9u1fixed
buster4.3.22-4fixed
bookworm, sid, bullseye4.3.30-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libspring-javasource(unstable)(not affected)

Notes

- libspring-java <not-affected> (Introduced in v5.0.0.RC1)
https://tanzu.vmware.com/security/cve-2021-22118
https://github.com/spring-projects/spring-framework/issues/26931
https://github.com/spring-projects/spring-framework/commit/cce60c479c22101f24b2b4abebb6d79440b120d1

Search for package or bug name: Reporting problems