Please upgrade to Spring Framework 5.3.19 or 5.2.21.
Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) has been announced in the official Spring blog.
“While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the [disallowedFields] configuration setting on [WebDataBinder] is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration”.
This is said in the blog post by Sam Brannen.
CVE report published for Data Binding Rules Vulnerability (CVE-2022-22968).
Please upgrade to Spring Framework 5.3.19 or 5.2.21.https://t.co/z83VhrkqJX
— Spring Framework (@springframework) April 13, 2022
The fix has been released in Spring Framework 5.3.19 and 5.2.21.
Explanation in the blog post says that prior to the fix in today’s releases, the patterns for [disallowedFields] in a [DataBinder] were case sensitive which means a field was not effectively protected unless patterns were registered with both upper and lower case for the first character of the field, including all combinations of upper and lower case for the first character of all nested fields within the property path.
Here are the necessary conditions for the specific vulnerability:
- Registration of disallowed field patterns in a DataBinder
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.18, 5.2.0 to 5.2.20, and older versions
Spring strongly recommends reassessing your Data Binding Approach.
“If you’re using disallowed field patterns and plan to continue using them, you should definitely update to Spring Framework 5.3.19 and 5.2.21 or greater as soon as possible”.
More information you can find in the official Spring Blog.