Home

CVE-2021-22112

Description

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the applications intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.979

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web 5.2.9Windows
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web 5.4.4Windows
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web 5.3.8Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2Windows
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom 5.4.4Windows
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom 5.3.8Windows
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom 5.2.9Windows
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web for Linux 5.2.9Linux
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web for Linux 5.4.4Linux
Vulnerabilities CVE-2021-22112 are fixed in spring-security-web for Linux 5.3.8Linux
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom for Linux 5.4.4Linux
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom for Linux 5.3.8Linux
Vulnerabilities CVE-2021-22112 are fixed in Spring - spring-security-bom for Linux 5.2.9Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234