CVE-2021-22096
Log Forging vulnerability in spring-core (Maven)
What is CVE-2021-22096 About?
This vulnerability in Spring Framework allows an attacker to inject additional log entries through malicious input. By providing specially crafted input, attackers can manipulate log files, potentially obscuring legitimate events or performing denial-of-service against log analysis systems. Exploitation is easy if the application logs unsanitized user-supplied input.
Affected Software
- org.springframework:spring-core
- >5.3.0, <5.3.11
- >5.2.0, <5.2.18
- org.springframework:spring
- >5.3.0, <5.3.11
- >5.2.0, <5.2.18
Technical Details
The Spring Framework versions 5.3.0 - 5.3.10 and 5.2.0 - 5.2.17 are susceptible to log forging. This flaw occurs when user-supplied input is directly logged without proper sanitization. An attacker can embed newline characters (e.g., %0A, %0D) or other log-splitting characters within their input. When this malicious input is processed and logged by the application, these characters are interpreted by the logging mechanism as delimiters for new log entries, allowing the attacker to inject arbitrary log content, create false log entries, or inflate log file sizes.
What is the Impact of CVE-2021-22096?
Successful exploitation may allow attackers to forge log entries, obscure audit trails, inject misleading information into logs, or cause a denial of service for log analysis systems by overflowing log files.
What is the Exploitability of CVE-2021-22096?
Exploitation is of low complexity. An attacker merely needs to provide malicious input containing log-splitting characters (e.g., newlines) to an application that logs this input without proper sanitization. Authentication and privilege requirements depend on where the user-controlled input is accepted. If an unauthenticated endpoint logs user input, it can be a remote, unauthenticated attack. There are no special conditions other than the application logging user-supplied data directly. The primary risk factor is insufficient input validation and output encoding before user-supplied data is written to log files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22096?
Available Upgrade Options
- org.springframework:spring-core
- >5.2.0, <5.2.18 → Upgrade to 5.2.18
- org.springframework:spring-core
- >5.3.0, <5.3.11 → Upgrade to 5.3.11
- org.springframework:spring
- >5.2.0, <5.2.18 → Upgrade to 5.2.18
- org.springframework:spring
- >5.3.0, <5.3.11 → Upgrade to 5.3.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22096
- https://osv.dev/vulnerability/GHSA-rfmp-97jj-h8m6
- https://security.netapp.com/advisory/ntap-20211125-0005/
- https://tanzu.vmware.com/security/cve-2021-22096
- https://security.netapp.com/advisory/ntap-20211125-0005
- https://tanzu.vmware.com/security/cve-2021-22096
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/spring-projects/spring-framework
What are Similar Vulnerabilities to CVE-2021-22096?
Similar Vulnerabilities: CVE-2023-50017 , CVE-2023-42407 , CVE-2022-26155 , CVE-2021-39230 , CVE-2021-23395
