CVE-2022-22970: Spring Framework DoS via Data Binding to MultipartFile or Servlet Part
Spring by VMware
A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- 5.3.0 to 5.3.19
- 5.2.0 to 5.2.21
- Older, unsupported versions are also affected
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.20; 5.2.x users should upgrade to 5.2.22. No other steps are necessary. Releases that have fixed this issue include:
This vulnerability was responsibly reported to VMware by Rob Ryan from Adobe Inc. Related variations were also reported by WeBin Lab of Dbappsecurity and by Vivek Sharm from Arcesium.
2022-05-11: Initial vulnerability report published.