CVE-2022-22970: - Spring Framework DOS Security Vulnerability
search cancel

CVE-2022-22970: - Spring Framework DOS Security Vulnerability

book

Article ID: 280732

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Information on Identity Suites potential exposure to Vulnerability cve-2022-22970

https://nvd.nist.gov/vuln/detail/CVE-2022-22970
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

https://spring.io/security/cve-2022-22970

Affected Spring Products and Versions
Spring Framework
5.3.0 to 5.3.19
5.2.0 to 5.2.21
Older, unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.20; 5.2.x users should upgrade to 5.2.22. No other steps are necessary. Releases that have fixed this issue include:

Spring Framework
5.3.20
5.2.22

Resolution

Identity Manager is NOT vulnerable to cve-2022-22970 

IDM does not use the Spring MVC architecture or the Spring WebFlux application; and doesn't use multipart or javax.servlet.Part for file uploads.

Powered by Wolken Software