CVE-2021-22118
privilege escalation vulnerability in spring-web (Maven)
What is CVE-2021-22118 About?
This privilege escalation vulnerability exists in Spring Framework 5.2.x prior to 5.2.15 and 5.3.x prior to 5.3.7 for WebFlux applications. A locally authenticated malicious user can exploit this by (re)creating the temporary storage directory to read, modify, or overwrite uploaded files. Exploitation requires local access and user authentication.
Affected Software
- org.springframework:spring-web
- >5.2.0, <5.2.15
- >5.3.0, <5.3.7
Technical Details
The vulnerability in Spring Framework WebFlux (versions 5.2.x < 5.2.15 and 5.3.x < 5.3.7) is a privilege escalation flaw related to the handling of temporary storage directories for uploaded files. A locally authenticated malicious user can exploit this by manipulating the temporary directory used by the WebFlux application. Specifically, the attacker can either recreate this directory or interact with it in a way that allows them to read, modify, or overwrite files that have been uploaded to the application. This could also lead to overwriting arbitrary files with multipart request data, bypassing access controls and potentially leading to denial of service or further compromise.
What is the Impact of CVE-2021-22118?
Successful exploitation may allow attackers to gain elevated privileges, read sensitive data, modify critical files, or overwrite arbitrary files, leading to data integrity issues, privilege escalation, or further system compromise.
What is the Exploitability of CVE-2021-22118?
Exploitation of this vulnerability is of moderate complexity, requiring specific knowledge of the temporary file handling mechanisms in Spring WebFlux. It demands local access to the system and requires the attacker to be a locally authenticated user. There are no specific privilege requirements beyond authenticated user status. The attack is local in nature, impacting the integrity of files stored or processed by the WebFlux application. The primary risk factors include insecure file permissions on temporary directories or a race condition that allows an attacker to seize control of the directory before the application uses it.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22118?
Available Upgrade Options
- org.springframework:spring-web
- >5.2.0, <5.2.15 → Upgrade to 5.2.15
- org.springframework:spring-web
- >5.3.0, <5.3.7 → Upgrade to 5.3.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://tanzu.vmware.com/security/cve-2021-22118
- https://security.netapp.com/advisory/ntap-20210713-0005
- https://osv.dev/vulnerability/GHSA-gfwj-fwqj-fp3v
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22118
- https://spring.io/security/cve-2021-22118
- https://github.com/spring-projects/spring-framework
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2021-22118?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2020-5398 , CVE-2018-1270 , CVE-2019-11268 , CVE-2019-11272
