CVE-2021-22118
27.05.2021, 15:15
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.Enginsight
| Vendor | Product | Version |
|---|---|---|
| vmware | spring_framework | 5.2.0 ≤ 𝑥 < 5.2.15 |
| vmware | spring_framework | 5.3.0 ≤ 𝑥 < 5.3.7 |
| oracle | commerce_guided_search | 11.3.2 |
| oracle | communications_brm_-_elastic_charging_engine | 12.0.0.3 |
| oracle | communications_cloud_native_core_binding_support_function | 1.9.0 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 1.6.0 |
| oracle | communications_cloud_native_core_service_communication_proxy | 1.14.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.14.0 |
| oracle | communications_diameter_intelligence_hub | 8.0.0 ≤ 𝑥 ≤ 8.1.0 |
| oracle | communications_diameter_intelligence_hub | 8.2.0 ≤ 𝑥 ≤ 8.2.3 |
| oracle | communications_element_manager | 8.2.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | communications_interactive_session_recorder | 6.4 |
| oracle | communications_network_integrity | 7.3.6 |
| oracle | communications_session_report_manager | 8.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | communications_session_route_manager | 8.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | communications_unified_inventory_management | 7.4.2 |
| oracle | communications_unified_inventory_management | 7.5.0 |
| oracle | documaker | 12.6.0 ≤ 𝑥 ≤ 12.6.4 |
| oracle | enterprise_data_quality | 12.2.1.3.0 |
| oracle | enterprise_data_quality | 12.2.1.4.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.8 ≤ 𝑥 ≤ 8.1.1 |
| oracle | healthcare_data_repository | 8.1.0 |
| oracle | insurance_policy_administration | 11.0 ≤ 𝑥 ≤ 11.3.1 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | insurance_rules_palette | 11.1.0 |
| oracle | insurance_rules_palette | 11.2.7 |
| oracle | insurance_rules_palette | 11.3.0 |
| oracle | insurance_rules_palette | 11.3.1 |
| oracle | mysql_enterprise_monitor | 𝑥 ≤ 8.0.25 |
| oracle | retail_assortment_planning | 16.0 |
| oracle | retail_customer_management_and_segmentation_foundation | 16.0 ≤ 𝑥 ≤ 19.0 |
| oracle | retail_financial_integration | 14.1.3.2 |
| oracle | retail_financial_integration | 15.0.3.1 |
| oracle | retail_financial_integration | 16.0.3 |
| oracle | retail_integration_bus | 14.1.3.2 |
| oracle | retail_integration_bus | 15.0.3.1 |
| oracle | retail_integration_bus | 16.0.3 |
| oracle | retail_merchandising_system | 19.0.1 |
| oracle | retail_order_broker | 16.0 |
| oracle | retail_predictive_application_server | 14.1.3 |
| oracle | retail_predictive_application_server | 15.0.3 |
| oracle | retail_predictive_application_server | 16.0.3 |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 |
| oracle | utilities_testing_accelerator | 6.0.0.2.2 |
| oracle | utilities_testing_accelerator | 6.0.0.3.1 |
| netapp | hci | - |
| netapp | management_services_for_element_software | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-269 - Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- CWE-668 - Exposure of Resource to Wrong SphereThe product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
References