CVE-2022-22970 In old unsupported versions of spring framework, apps that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

A malicious user with a model object could trigger an infinite loop by setting a data binding to a field that references an uploaded file.

An attacker could exploit this vulnerability by creating a model object with an uploaded field.

A malicious user could create a model object with an uploaded field and set a data binding to that field.

When a victim visits a vulnerable application and views the form, the malicious uploaded file is uploaded and served to the victim user.

After the malicious file is served to the user, it may cause a DoS attack by serving an infinite loop of itself to the victim user.

It is recommended to upgrade to a version of spring that resolves this issue, such as 5.3.20 or newer.

How To Upgrade Spring Framework to a version that resolves this issue.

Summary of Key Changes from 3.2.x to 5.3.x

Spring Framework 5.3.x and newer have resolved this issue. Please upgrade to a version of spring that resolves this issue, such as 5.3.20 or newer.

Timeline

Published on: 05/12/2022 20:15:00 UTC
Last modified on: 07/25/2022 18:20:00 UTC

References

• https://tanzu.vmware.com/security/cve-2022-22970
• https://security.netapp.com/advisory/ntap-20220616-0006/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22970