CVE-2021-22118

Sep 3, 2024

Published Date: 2021-05-27T15:15Z
Last Modified: 2022-10-25T20:57Z

CVSS Score: 7.8 (HIGH)

EPSS Score: 0.05%

Risk Score: 5.46 (HIGH)

Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.

Meter Needle
CVSS: 7.8  |  EPSS: 0.05%

Description: In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Mitre ATT&CK Technical v15.1

T1053.002 – At

Technical Analysis & Mitigation Measures

Reference Links

Vendor - Produce - Version

spring_framework - vmware, spring_framework - vmware, retail_order_broker - oracle, retail_predictive_application_server - oracle, enterprise_data_quality - oracle, retail_assortment_planning - oracle, retail_financial_integration - oracle, communications_network_integrity - oracle, retail_integration_bus - oracle, insurance_rules_palette - oracle, insurance_rules_palette - oracle, communications_interactive_session_recorder - oracle, commerce_guided_search - oracle, communications_unified_inventory_management - oracle, retail_customer_management_and_segmentation_foundation - oracle, enterprise_data_quality - oracle, communications_element_manager - oracle, insurance_policy_administration - oracle, healthcare_data_repository - oracle, documaker - oracle, mysql_enterprise_monitor - oracle, communications_session_report_manager - oracle, communications_brm_-_elastic_charging_engine - oracle, communications_session_route_manager - oracle, retail_merchandising_system - oracle, retail_integration_bus - oracle, retail_predictive_application_server - oracle, retail_financial_integration - oracle, retail_integration_bus - oracle, retail_financial_integration - oracle, retail_predictive_application_server - oracle, utilities_testing_accelerator - oracle, utilities_testing_accelerator - oracle, utilities_testing_accelerator - oracle, communications_cloud_native_core_policy - oracle, communications_unified_inventory_management - oracle, communications_cloud_native_core_unified_data_repository - oracle, communications_cloud_native_core_service_communication_proxy - oracle, communications_cloud_native_core_security_edge_protection_proxy - oracle, communications_cloud_native_core_binding_support_function - oracle, communications_unified_inventory_management - oracle, insurance_rules_palette - oracle, insurance_rules_palette - oracle, insurance_rules_palette - oracle, financial_services_analytical_applications_infrastructure - oracle, communications_diameter_intelligence_hub - oracle, communications_diameter_intelligence_hub - oracle, hci - netapp, management_services_for_element_software - netapp

Disclaimer

The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.