Blackduck scans have reported a new vulnerability: CVE-2021-22096 / BDSA-2021-3236

CVSS score is 4.3 or 4.7 (varies depending on selected issue: BDSA or CVE).

Release : 10.7.0

Component : Introscope

Details from BlackDuck (this vulnerability is currently under review with Black Duck):

Spring Framework Vulnerable to Log File Injection via Insufficient Input Validation

BDSA-2021-3236, CVE-2021-22096

Spring Framework is vulnerable to log file injection due to the insufficient validation of user input in an undisclosed component. An attacker could leverage this issue in order to add arbitrary entries to a log file which could impact both the integrity issues and performance issues.

Solution - Fix Available

Fixed in versions 5.3.11 and 5.2.18.

Note: 5.3.11 was found to contain a major regression, and so users should instead upgrade to 5.3.12.

The latest stable releases can be found here.

No Workaround

Will be fixed into the SP4, no ETA available.