CVE-2022-22968

Description

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Risk Information

Base Score

5.3

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

Exploitation Probability

20.51

Associated Vulnerability

Vulnerability	OS Platform
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0	Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0	Windows
Vulnerabilities CVE-2022-22968 are fixed in spring-context 5.3.19	Windows
Vulnerabilities CVE-2022-22968 are fixed in spring-context 5.2.21	Windows
Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3	Windows
Multiple Vulnerabilities are affected in IBM Tivoli Application Dependency Discovery Manager 7.3.0.9	Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1	Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1	Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1.0	Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1	Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.0.0.1	Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0	Windows
Vulnerabilities CVE-2022-22968 are fixed in spring-context for Linux 5.3.19	Linux
Vulnerabilities CVE-2022-22968 are fixed in spring-context for Linux 5.2.21	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234