CVE-2022-22970

MEDIUM LAB

Vmware Spring Framework < 5.2.21 - Resource Allocation Without Limits

Title source: rule

Description

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Exploits (1)

nomisec WORKING POC

by Performant-Labs · poc

https://github.com/Performant-Labs/CVE-2022-22970

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220616-0006/

[Mitigation, Vendor Advisory] https://tanzu.vmware.com/security/cve-2022-22970

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.3

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull mcr.microsoft.com/devcontainers/java:17-bullseye

https://github.com/Performant-Labs/CVE-2022-22970

View in Library

Details

CWE

CWE-770

Status published

Products (8)

netapp/active_iq_unified_manager (3 CPE variants)

netapp/brocade_san_navigator

netapp/cloud_secure_agent

netapp/oncommand_insight

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.2.0

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.3.0

org.springframework/spring-beans 0 - 5.2.22.RELEASEMaven

vmware/spring_framework < 5.2.21

Published May 12, 2022

Tracked Since Feb 18, 2026