CVE-2022-22968
DataBinder vulnerability in spring-context (Maven)
What is CVE-2022-22968 About?
Spring Framework's DataBinder has a vulnerability where `disallowedFields` patterns are case-sensitive, meaning fields are not effectively protected unless listed with both upper and lower case for the first letter. This flaw can lead to unauthorized modification of object properties. Exploitation is relatively straightforward for an attacker who understands the application's binding mechanisms.
Affected Software
- org.springframework:spring-context
- >5.3.0, <5.3.19
- <5.2.21.RELEASE
Technical Details
The vulnerability in Spring Framework's DataBinder stems from its case-sensitive handling of disallowedFields patterns. When an application attempts to restrict binding to certain fields using disallowedFields, the mechanism expects an exact case match. If a field like 'password' is disallowed (e.g., disallowedFields = {"password"}), an attacker can bypass this restriction by submitting a request with Password or pAssword. The DataBinder will not recognize the case-mismatched field as disallowed, leading to successful binding and potentially unauthorized modification of sensitive properties. This issue extends to nested fields within property paths, requiring all components of the path to be listed in both upper and lower case variations for comprehensive protection.
What is the Impact of CVE-2022-22968?
Successful exploitation may allow attackers to bypass security restrictions on data binding, leading to unauthorized modification of sensitive application data, elevated privileges, or denial of service.
What is the Exploitability of CVE-2022-22968?
Exploitation complexity is moderate. An attacker needs to understand the application's data binding mechanisms and identify vulnerable fields. No strict authentication requirements beyond accessing the application interface that utilizes the DataBinder. Privilege requirements are typically those of a standard authenticated user who can submit data. Exploitation is remote, as it involves sending maliciously crafted input to the application. Special conditions include knowing the names of forbidden fields to attempt case-variation attacks. Risk factors that increase exploitation likelihood include applications that extensively use DataBinding without meticulous, case-insensitive disallowedFields configurations, and scenarios where sensitive object properties are bindable from user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| MarcinGadz | Link | Testing CVE-2022-22968 |
What are the Available Fixes for CVE-2022-22968?
Available Upgrade Options
- org.springframework:spring-context
- <5.2.21.RELEASE → Upgrade to 5.2.21.RELEASE
- org.springframework:spring-context
- >5.3.0, <5.3.19 → Upgrade to 5.3.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea
- https://osv.dev/vulnerability/GHSA-g5mm-vmx4-3rg7
- https://tanzu.vmware.com/security/cve-2022-22968
- https://nvd.nist.gov/vuln/detail/CVE-2022-22968
- https://security.netapp.com/advisory/ntap-20220602-0004/
- https://github.com/spring-projects/spring-framework
- https://tanzu.vmware.com/security/cve-2022-22968
- https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7
- https://www.oracle.com/security-alerts/cpujul2022.html
What are Similar Vulnerabilities to CVE-2022-22968?
Similar Vulnerabilities: CVE-2010-1622 , CVE-2018-1270 , CVE-2022-22965 , CVE-2019-11261 , CVE-2017-8046
