9
CVE-2021-22112
- EPSS 0.98%
- Published 23.02.2021 19:15:13
- Last modified 21.11.2024 05:49:31
- Source security@vmware.com
- Teams watchlist Login
- Open Login
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Data is provided by the National Vulnerability Database (NVD)
Pivotal Software ≫ Spring Security Version < 5.2.9
Pivotal Software ≫ Spring Security Version >= 5.3.0 < 5.3.8
VMware ≫ Spring Security Version >= 5.4.0 < 5.4.4
Oracle ≫ Communications Element Manager Version >= 8.2.0 <= 8.2.4.0
Oracle ≫ Communications Interactive Session Recorder Version6.3
Oracle ≫ Communications Interactive Session Recorder Version6.4
Oracle ≫ Communications Unified Inventory Management Version7.4.1
Oracle ≫ Hospitality Cruise Shipboard Property Management System Version20.1.0
Oracle ≫ Insurance Policy Administration Version11.2.0
Oracle ≫ Insurance Policy Administration Version11.3.0
Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.25
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.98% | 0.755 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|