In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
References
Link | Resource |
---|---|
https://security.netapp.com/advisory/ntap-20220602-0004/ | Third Party Advisory |
https://tanzu.vmware.com/security/cve-2022-22968 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
No history.
Information
Published : 2022-04-14 21:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-22968
Mitre link : CVE-2022-22968
CVE.ORG link : CVE-2022-22968
JSON object : View
Products Affected
oracle
- mysql_enterprise_monitor
netapp
- snapmanager
- cloud_secure_agent
- active_iq_unified_manager
- metrocluster_tiebreaker
- snap_creator_framework
vmware
- spring_framework
CWE
CWE-178
Improper Handling of Case Sensitivity