CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:metrocluster_tiebreaker:-:*:*:*:*:clustered_data_ontap:*:*
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Configuration 3 (hide)

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-04-14 21:15

Updated : 2024-02-28 19:09


NVD link : CVE-2022-22968

Mitre link : CVE-2022-22968

CVE.ORG link : CVE-2022-22968


JSON object : View

Products Affected

oracle

  • mysql_enterprise_monitor

netapp

  • snapmanager
  • cloud_secure_agent
  • active_iq_unified_manager
  • metrocluster_tiebreaker
  • snap_creator_framework

vmware

  • spring_framework
CWE
CWE-178

Improper Handling of Case Sensitivity