In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
The MITRE CVE dictionary describes this issue as:
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
In OpenShift Container Platform (OCP) 3.11 the jenkins package delivers the vulnerable version of spring-framework, but OCP 3.11 is now in the Maintenance Phase of the support and is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities, hence this component is marked as ooss. This may be fixed in a future release.
Vulmon