CVE-2022-22971

MEDIUM

Vmware Spring Framework < 5.2.21 - Resource Allocation Without Limits

Title source: rule

Description

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Exploits (1)

nomisec WORKING POC 1 stars

by tchize · poc

https://github.com/tchize/CVE-2022-22971

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220616-0003/

[Mitigation, Vendor Advisory] https://tanzu.vmware.com/security/cve-2022-22971

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 6.5

EPSS 0.0034

EPSS Percentile 56.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770

Status published

Affected Products (6)

vmware/spring_framework < 5.2.21

oracle/financial_services_crime_and_compliance_management_studio

netapp/cloud_secure_agent

netapp/oncommand_insight

org.springframework/spring-messaging < 5.3.20Maven

Timeline

Published May 12, 2022

Tracked Since Feb 18, 2026