Blackduck scans have reported a new vulnerability: CVE-2021-22096 / BDSA-2021-3236
CVSS score is 4.3 or 4.7 (varies depending on selected issue: BDSA or CVE).
Release : 10.7.0
Component : Introscope
Details from BlackDuck (this vulnerability is currently under review with Black Duck):
Spring Framework Vulnerable to Log File Injection via Insufficient Input Validation
BDSA-2021-3236, CVE-2021-22096
Spring Framework is vulnerable to log file injection due to the insufficient validation of user input in an undisclosed component. An attacker could leverage this issue in order to add arbitrary entries to a log file which could impact both the integrity issues and performance issues.
Fixed in versions 5.3.11 and 5.2.18.
Note: 5.3.11 was found to contain a major regression, and so users should instead upgrade to 5.3.12.
The latest stable releases can be found here.
No Workaround
Will be fixed into the SP4, no ETA available.