MOI vulnerability of Spring Framework spring-core-5.3.19.jar

search cancel

MOI vulnerability of Spring Framework spring-core-5.3.19.jar - CVE-2022-22970

book

Article ID: 271590

calendar_today

Updated On:

Products

Mainframe Operational Intelligence

Issue/Introduction

Qualys has found a vulnerability on MOI 2.1. Please review the security vulnerability on Spring Framework - spring-core-5.3.19.jar.

CVE-2022-22970: Spring Framework DoS via Data Binding to MultipartFile or Servlet Part

Environment

Release : 2.1 IE4

Resolution

Spring-core is a transitive dependency coming from springframework. With MOI IE4, springframework has been upgraded to 5.3.27 which is not affected by CVE-2022-22970.

We see older versions of springframework (4.3.30) as a transitive dependency for some of our modules, but after looking at this in more detail, we concluded that the vulnerable file upload functionality is not used or exposed in the impacted module.

After the MOI IE4 upgrade, MOI is not exploitable with this vulnerability (CVE-2022-22970).

Feedback

thumb_up Yes

thumb_down No