Please upgrade to Spring Framework 5.3.19 or 5.2.21.

Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) has been announced in the official Spring blog.

“While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the [disallowedFields] configuration setting on [WebDataBinder] is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration”.

This is said in the blog post by Sam Brannen.

The fix has been released in Spring Framework 5.3.19 and 5.2.21.

Explanation in the blog post says that prior to the fix in today’s releases, the patterns for [disallowedFields] in a [DataBinder] were case sensitive which means a field was not effectively protected unless patterns were registered with both upper and lower case for the first character of the field, including all combinations of upper and lower case for the first character of all nested fields within the property path.

Here are the necessary conditions for the specific vulnerability:

  • Registration of disallowed field patterns in a DataBinder
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.18, 5.2.0 to 5.2.20, and older versions

Spring strongly recommends reassessing your Data Binding Approach.

“If you’re using disallowed field patterns and plan to continue using them, you should definitely update to Spring Framework 5.3.19 and 5.2.21 or greater as soon as possible”.

More information you can find in the official Spring Blog.

Tags: , , , , , , , , , , , , , , ,
java2days conference link

Most popular in DevStyleR

Broadcom announces plans to buy VMware in $61 billion deal
Update One

Update One

10 May, 2022
Gameloft

Gameloft

9 May, 2022
Droxic

Droxic

27 April, 2022
Tarya Fintech Bulgaria