Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Published

2021-05-27T15:15:07.437

Last Modified

2024-11-21T05:49:32.563

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-269
Type: Primary
CWE-668

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_framework	< 5.2.15	Yes
Application	vmware	spring_framework	< 5.3.7	Yes
Application	oracle	commerce_guided_search	11.3.2	Yes
Application	oracle	communications_brm_-_elastic_charging_engine	12.0.0.3	Yes
Application	oracle	communications_cloud_native_core_binding_support_function	1.9.0	Yes
Application	oracle	communications_cloud_native_core_policy	1.14.0	Yes
Application	oracle	communications_cloud_native_core_security_edge_protection_proxy	1.6.0	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	1.14.0	Yes
Application	oracle	communications_cloud_native_core_unified_data_repository	1.14.0	Yes
Application	oracle	communications_diameter_intelligence_hub	≤ 8.1.0	Yes
Application	oracle	communications_diameter_intelligence_hub	≤ 8.2.3	Yes
Application	oracle	communications_element_manager	≤ 8.2.4.0	Yes
Application	oracle	communications_interactive_session_recorder	6.4	Yes
Application	oracle	communications_network_integrity	7.3.6	Yes
Application	oracle	communications_session_report_manager	≤ 8.2.4.0	Yes
Application	oracle	communications_session_route_manager	≤ 8.2.4.0	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	communications_unified_inventory_management	7.5.0	Yes
Application	oracle	documaker	≤ 12.6.4	Yes
Application	oracle	enterprise_data_quality	12.2.1.3.0	Yes
Application	oracle	enterprise_data_quality	12.2.1.4.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.1.1	Yes
Application	oracle	healthcare_data_repository	8.1.0	Yes
Application	oracle	insurance_policy_administration	≤ 11.3.1	Yes
Application	oracle	insurance_rules_palette	11.0.2	Yes
Application	oracle	insurance_rules_palette	11.1.0	Yes
Application	oracle	insurance_rules_palette	11.2.7	Yes
Application	oracle	insurance_rules_palette	11.3.0	Yes
Application	oracle	insurance_rules_palette	11.3.1	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.25	Yes
Application	oracle	retail_assortment_planning	16.0	Yes
Application	oracle	retail_customer_management_and_segmentation_foundation	≤ 19.0	Yes
Application	oracle	retail_financial_integration	14.1.3.2	Yes
Application	oracle	retail_financial_integration	15.0.3.1	Yes
Application	oracle	retail_financial_integration	16.0.3	Yes
Application	oracle	retail_integration_bus	14.1.3.2	Yes
Application	oracle	retail_integration_bus	15.0.3.1	Yes
Application	oracle	retail_integration_bus	16.0.3	Yes
Application	oracle	retail_merchandising_system	19.0.1	Yes
Application	oracle	retail_order_broker	16.0	Yes
Application	oracle	retail_predictive_application_server	14.1.3	Yes
Application	oracle	retail_predictive_application_server	15.0.3	Yes
Application	oracle	retail_predictive_application_server	16.0.3	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.1.1	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.2.2	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.3.1	Yes
Application	netapp	hci	-	Yes
Application	netapp	management_services_for_element_software	-	Yes

References

https://security.netapp.com/advisory/ntap-20210713-0005/ Third Party Advisory ([email protected])
https://tanzu.vmware.com/security/cve-2021-22118 Third Party Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20210713-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tanzu.vmware.com/security/cve-2021-22118 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)