CVE-2022-22965
Public on 2022-04-01
Modified on 2022-09-15
Description
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-005 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT9-2023-004 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |