CVE-2022-22970 (Medium) detected in spring-beans-5.0.4.RELEASE.jar, spring-core-5.0.4.RELEASE.jar

## CVE-2022-22970 - Medium Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - spring-beans-5.0.4.RELEASE.jar, spring-core-5.0.4.RELEASE.jar</summary>


<details><summary>spring-beans-5.0.4.RELEASE.jar</summary>

Spring Beans
Library home page: <a href="https://github.com/spring-projects/spring-framework">https://github.com/spring-projects/spring-framework</a>
Path to dependency file: /sonatype-depshield-demo/pom.xml
Path to vulnerable library: /root/.m2/repository/org/springframework/spring-beans/5.0.4.RELEASE/spring-beans-5.0.4.RELEASE.jar


Dependency Hierarchy:
 - spring-boot-starter-web-2.0.0.RELEASE.jar (Root Library)
 - spring-web-5.0.4.RELEASE.jar
 - :x: **spring-beans-5.0.4.RELEASE.jar** (Vulnerable Library)
</details>
<details><summary>spring-core-5.0.4.RELEASE.jar</summary>

Spring Core
Library home page: <a href="https://github.com/spring-projects/spring-framework">https://github.com/spring-projects/spring-framework</a>
Path to dependency file: /sonatype-depshield-demo/pom.xml
Path to vulnerable library: /root/.m2/repository/org/springframework/spring-core/5.0.4.RELEASE/spring-core-5.0.4.RELEASE.jar


Dependency Hierarchy:
 - spring-boot-starter-web-2.0.0.RELEASE.jar (Root Library)
 - spring-boot-starter-2.0.0.RELEASE.jar
 - :x: **spring-core-5.0.4.RELEASE.jar** (Vulnerable Library)
</details>


</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12
URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-22970>CVE-2022-22970</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (5.3)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: High
 - Privileges Required: Low
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://tanzu.vmware.com/security/cve-2022-22970">https://tanzu.vmware.com/security/cve-2022-22970</a>
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2022-22970 (Medium) detected in spring-beans-5.0.4.RELEASE.jar, spring-core-5.0.4.RELEASE.jar #506

CVE-2022-22970 - Medium Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2022-22970 (Medium) detected in spring-beans-5.0.4.RELEASE.jar, spring-core-5.0.4.RELEASE.jar #506

Description

CVE-2022-22970 - Medium Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions