Strix
26.1K

CVE-2021-22112

HIGHCVSS 8.8/10EPSS 3.17%

Last modified

CVE-2021-22112 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.. EPSS estimates a 3.17% chance of exploitation in the next 30 days.

Description

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
3.17%

86.4th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
Pivotal SoftwareSpring Security< 5.2.9
Pivotal SoftwareSpring Security>= 5.3.0, < 5.3.8
VmwareSpring Security>= 5.4.0, < 5.4.4
OracleCommunications Element Manager>= 8.2.0, <= 8.2.4.0
OracleCommunications Interactive Session Recorder6.3
OracleCommunications Interactive Session Recorder6.4
OracleCommunications Unified Inventory Management7.4.1
OracleHospitality Cruise Shipboard Property Management System20.1.0
OracleInsurance Policy Administration11.2.0
OracleInsurance Policy Administration11.3.0
OracleMysql Enterprise Monitor<= 8.0.25

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-22112?
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
How severe is CVE-2021-22112?
CVE-2021-22112 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 3.17% probability of exploitation in the next 30 days.
How do I fix CVE-2021-22112?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-22112?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST