In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 05:49
Type | Values Removed | Values Added |
---|---|---|
References | () https://security.netapp.com/advisory/ntap-20210713-0005/ - Third Party Advisory | |
References | () https://tanzu.vmware.com/security/cve-2021-22118 - Third Party Advisory | |
References | () https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory |
25 Oct 2022, 20:57
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
CWE | CWE-668 |
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 May 2022, 14:06
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* |
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Mar 2022, 18:13
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.2.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Dec 2021, 19:36
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210713-0005/ - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:* |
20 Oct 2021, 11:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jul 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Jun 2021, 13:54
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* |
07 Jun 2021, 23:46
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-269 | |
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
References | (MISC) https://tanzu.vmware.com/security/cve-2021-22118 - Third Party Advisory | |
CPE | cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* |
27 May 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-05-27 15:15
Updated : 2024-11-21 05:49
NVD link : CVE-2021-22118
Mitre link : CVE-2021-22118
CVE.ORG link : CVE-2021-22118
JSON object : View
Products Affected
oracle
- communications_session_report_manager
- retail_order_broker
- insurance_rules_palette
- retail_merchandising_system
- communications_session_route_manager
- communications_interactive_session_recorder
- financial_services_analytical_applications_infrastructure
- utilities_testing_accelerator
- retail_financial_integration
- enterprise_data_quality
- communications_network_integrity
- communications_element_manager
- communications_brm_-_elastic_charging_engine
- communications_unified_inventory_management
- documaker
- communications_cloud_native_core_service_communication_proxy
- retail_integration_bus
- retail_assortment_planning
- communications_diameter_intelligence_hub
- communications_cloud_native_core_unified_data_repository
- communications_cloud_native_core_security_edge_protection_proxy
- retail_predictive_application_server
- commerce_guided_search
- insurance_policy_administration
- retail_customer_management_and_segmentation_foundation
- communications_cloud_native_core_policy
- communications_cloud_native_core_binding_support_function
- mysql_enterprise_monitor
- healthcare_data_repository
netapp
- management_services_for_element_software
- hci
vmware
- spring_framework