Vulnerability Name: CVE-2021-22060 (CCN-217183) Assigned: 2021-01-04 Published: 2022-01-05 Updated: 2022-05-13 Summary: In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase. CVSS v3 Severity: 4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2021-22060 vmwaretanzu-cve202122060-sec-bypass(217183) CVE-2021-22060: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) https://tanzu.vmware.com/security/cve-2021-22060 IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) Vulnerability exists for Spring Framework in Watson Explorer (CVE-2021-22060, CVE-2022-22965, CVE-2022-22950) A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965) IBM QRadar SIEM includes components with multiple known vulnerabilities IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060) IBM Cognos Controller has addressed multiple vulnerabilities https://www.oracle.com/security-alerts/cpuapr2022.html Vulnerable Configuration: Configuration 1 :cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.3.0 and <= 5.3.13)OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.2.0 and <= 5.2.18) Configuration 2 :cpe:/a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:vmware:spring_framework:5.2.18:*:*:*:*:*:*:* OR cpe:/a:pivotal_software:spring_framework:5.3.13:*:*:*:*:*:*:* AND cpe:/a:ibm:watson_explorer:11.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.3:*:deep_analytics:*:analytical_components:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* BACK
vmware spring framework *
vmware spring framework *
oracle communications cloud native core console 1.9.0
oracle communications cloud native core service communication proxy 1.15.0
vmware spring framework 5.2.18
pivotal_software spring framework 5.3.13
ibm watson explorer 11.0.0
ibm watson explorer 11.0.1
ibm watson explorer 11.0.2
ibm qradar security information and event manager 7.3
ibm watson explorer 12.0.0
ibm sterling b2b integrator 6.0.0.0
ibm watson explorer 12.0.1
ibm watson explorer 12.0.2
ibm cognos controller 10.4.0
ibm cognos controller 10.4.1
ibm watson discovery 2.0.0
ibm watson explorer 12.0.3
ibm tivoli application dependency discovery manager 7.3.0.0
ibm qradar security information and event manager 7.4 -
ibm cognos controller 10.4.2
ibm sterling b2b integrator 6.1.0.0
ibm watson discovery 2.2.1
ibm sterling b2b integrator 6.1.1.0
Denotes that component is vulnerable