Privilege Escalation Affecting org.springframework:spring-web package, versions [5.3.0,5.3.7)[5.0.0.RELEASE,5.2.15.RELEASE)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-1296829
  • published26 May 2021
  • disclosed26 May 2021
  • creditTrung Pham of Viettel Cyber Security

Introduced: 26 May 2021

CVE-2021-22118  (opens in a new tab)
CWE-264  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade org.springframework:spring-web to version 5.3.7, 5.2.15.RELEASE or higher.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Privilege Escalation. By recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

CVSS Scores

version 3.1