Vulnerability Name: CVE-2021-22096 (CCN-212430) Assigned: 2021-10-26 Published: 2021-10-26 Updated: 2022-04-28 Summary: In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. CVSS v3 Severity: 4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2021-22096 vmware-cve202122096-sec-bypass(212430) https://security.netapp.com/advisory/ntap-20211125-0005/ CVE-2021-22096: Log Injection in Spring Framework https://tanzu.vmware.com/security/cve-2021-22096 IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring Vulnerability exists in Watson Explorer (CVE-2021-22096) IBM Data Risk Manager is affected by multiple vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) IBM Sterling B2B Integrator vulnerable due to Spring Framework (CVE-2021-22096, CVE-2022-22950) IBM Cognos Controller has addressed multiple vulnerabilities Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform Multiple CVEs affect IBM Integration Designer IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 [All] Spring Framework - CVE-2021-22096 (Publicly disclosed vulnerability) Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html CVE-2021-22096 Vulnerable Configuration: Configuration 1 :cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.2.0 and <= 5.2.17)OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.3.0 and <= 5.3.10) Configuration 2 :cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* OR cpe:/a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:* OR cpe:/a:netapp:metrocluster_tiebreaker:-:*:*:*:*:clustered_data_ontap:*:* OR cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.15.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:vmware:spring_framework:5.3.0:-:*:*:*:*:*:* OR cpe:/a:pivotal_software:spring_framework:5.3.10:*:*:*:*:*:*:* OR cpe:/a:vmware:spring_framework:5.2.0:-:*:*:*:*:*:* OR cpe:/a:vmware:spring_framework:5.2.17:*:*:*:*:*:*:* AND cpe:/a:ibm:watson_explorer:11.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:-:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.3:*:deep_analytics:*:analytical_components:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.4:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* BACK
vmware spring framework *
vmware spring framework *
netapp active iq unified manager -
netapp active iq unified manager -
netapp active iq unified manager -
netapp management services for element software and netapp hci -
netapp metrocluster tiebreaker -
netapp snap creator framework -
netapp snapcenter -
oracle communications cloud native core console 1.9.0
oracle communications cloud native core service communication proxy 1.15.0
vmware spring framework 5.3.0 -
pivotal_software spring framework 5.3.10
vmware spring framework 5.2.0 -
vmware spring framework 5.2.17
ibm watson explorer 11.0.0
ibm watson explorer 11.0.1
ibm tivoli netcool configuration manager 6.4.2
ibm watson explorer 11.0.2
ibm watson explorer 12.0.0
ibm sterling b2b integrator 6.0.0.0
ibm watson explorer 12.0.1
ibm watson explorer 12.0.2
ibm cognos controller 10.4.0
ibm mobilefirst platform foundation 8.0.0
ibm cognos controller 10.4.1
ibm qradar security information and event manager 7.3.3
ibm watson explorer 12.0.3
ibm tivoli application dependency discovery manager 7.3.0.0
ibm data risk manager 2.0.6
ibm data risk manager 2.0.6.1
ibm data risk manager 2.0.6.2
ibm cognos controller 10.4.2
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm watson discovery 2.2.1
ibm qradar security information and event manager 7.4.3 -
ibm sterling b2b integrator 6.1.1.0
ibm data risk manager 2.0.6.4
ibm watson discovery 2.0.0
ibm qradar security information and event manager 7.5.0 -
Denotes that component is vulnerable