Input validation error in Pivotal Spring Framework

#VU63976 Input validation error in Pivotal Spring Framework

Published: 2022-06-03

Vulnerability identifier: #VU63976

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22060

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to modify existing log records.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and modify existing log records.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pivotal Spring Framework: 5.3.0 - 5.3.13, 5.2.0 - 5.2.18

External links
http://tanzu.vmware.com/security/cve-2021-22060
http://www.oracle.com/security-alerts/cpuapr2022.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Storage Copy Data Management

Multiple vulnerabilities in IBM Storage Protect Plus Server

Multiple vulnerabilities in IBM Cognos Controller

Multiple vulnerabilities in Autodesk InfraWorks

Input validation error in IBM Sterling B2B Integrator

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN Module

Multiple vulnerabilities in IBM Common Licensing