#VU61720 Input validation error in Pivotal Spring Framework


Published: 2022-03-29

Vulnerability identifier: #VU61720

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22096

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to modify existing log records.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and inject arbitrary records into log files.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pivotal Spring Framework: 5.3.0 - 5.3.11, 5.2.0 - 5.2.17

External links
http://tanzu.vmware.com/security/cve-2021-22096
http://security.netapp.com/advisory/ntap-20211125-0005/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM MobileFirst Platform Foundation
Multiple vulnerabilities in IBM Integration Designer
Multiple vulnerabilities in IBM Storage Protect Plus Server
Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Multiple vulnerabilities in IBM Cognos Controller
Input validation error in IBM Tivoli Netcool Configuration Manager
Multiple vulnerabilities in Autodesk InfraWorks
Multiple vulnerabilities in IBM Sterling B2B Integrator
Multiple vulnerabilities in Red Hat Virtualization Manager
Multiple vulnerabilities in IBM Common Licensing