Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103697

https://access.redhat.com/errata/RHSA-2018:1320

https://access.redhat.com/errata/RHSA-2018:2669

https://pivotal.io/security/cve-2018-1272

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related Vulnerabilities

CVE-2017-13098 Vulnerability in maven package com.madgag.spongycastle:bctls-jdk15on

CVE-2016-4055 Vulnerability in npm package moment

CVE-2022-23107 Vulnerability in maven package io.jenkins.plugins:warnings-ng

CVE-2022-31692 Vulnerability in maven package org.springframework.security:spring-security-web

CVE-2020-28500 Vulnerability in maven package org.fujion.webjars:lodash

Severity

High

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory VDB Entry Vendor Advisory NVD-CWE-noinfo