Skip to content

CVE-2021-22096 (Medium) detected in multiple libraries #264

New issue
New issue
Open
Open
CVE-2021-22096 (Medium) detected in multiple libraries#264
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Dec 1, 2021

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-4.3.27.RELEASE.jar, spring-core-4.3.20.RELEASE.jar, spring-core-4.1.6.RELEASE.jar, spring-core-4.3.26.RELEASE.jar, spring-core-4.3.27.RELEASE.jar

spring-web-4.3.27.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /plugin-kms/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.3.27.RELEASE.jar (Vulnerable Library)
spring-core-4.3.20.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /tagsync/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.20.RELEASE/spring-core-4.3.20.RELEASE.jar

Dependency Hierarchy:

  • atlas-intg-2.1.0.jar (Root Library)
    • spring-context-4.3.20.RELEASE.jar
      • spring-core-4.3.20.RELEASE.jar (Vulnerable Library)
spring-core-4.1.6.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /plugin-schema-registry/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.1.6.RELEASE/spring-core-4.1.6.RELEASE.jar

Dependency Hierarchy:

  • common-auth-0.8.1.jar (Root Library)
    • spring-security-kerberos-core-1.0.1.RELEASE.jar
      • spring-core-4.1.6.RELEASE.jar (Vulnerable Library)
spring-core-4.3.26.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /ranger-atlas-plugin-shim/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.26.RELEASE/spring-core-4.3.26.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.26.RELEASE/spring-core-4.3.26.RELEASE.jar

Dependency Hierarchy:

  • atlas-authorization-2.1.0.jar (Root Library)
    • spring-security-core-4.2.16.RELEASE.jar
      • spring-core-4.3.26.RELEASE.jar (Vulnerable Library)
spring-core-4.3.27.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /plugin-kms/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar

Dependency Hierarchy:

  • spring-core-4.3.27.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.apache.atlas:atlas-intg): 2.2.0

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (com.hortonworks.registries:common-auth): 0.9.0

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.apache.atlas:atlas-authorization): 2.2.0

⛑️ Automatic Remediation is available for this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions