Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2021-22112

Published: 23/02/2021 Updated: 07/11/2023
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 801
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Vmware

Vulnerability Summary

Spring Security 5.4.x before 5.4.4, 5.3.x before 5.3.8.RELEASE, 5.2.x before 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring security

pivotal software spring security

oracle hospitality cruise shipboard property management system 20.1.0

oracle communications interactive session recorder 6.3

oracle communications interactive session recorder 6.4

oracle communications unified inventory management 7.4.1

oracle insurance policy administration 11.3.0

oracle insurance policy administration 11.2.0

oracle communications element manager

oracle mysql enterprise monitor

Vendor Advisories

Arch Linux Issues:
A security issue was found in Jenkins 2275 through 2278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions The issue is caused by an embedded copy of Spring Security, which in version 543 and earlier has a vulnerability that unintentionally p ...

Mailing Lists

Full Disclosure: Vulnerability in Jenkins
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Vulnerability in Jenkins <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Daniel Beck &lt;ml () beckweb net&gt; D ...

Github Repositories

https://github.com/auth0/auth0-spring-security-api

Spring Security integration with Auth0 to secure your API with JWTs

Auth0 Spring Security for API Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK As a result, new patch builds have been released using the new signing key Please upgrade at your earliest convenience While this change won't affect most developers, if you have implemented a

References

NVD-CWE-noinfohttp://www.openwall.com/lists/oss-security/2021/02/19/7https://tanzu.vmware.com/security/cve-2021-22112https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3Ehttps://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3Ehttps://nvd.nist.govhttps://github.com/auth0/auth0-spring-security-apihttp://seclists.org/oss-sec/2021/q1/166https://security.archlinux.org/CVE-2021-22112
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48654CVE-2024-2757authentication bypassCVE-2024-3194CVE-2024-33640CVE-2024-21111dosinsecure direct object referenceCVE-2024-21345
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook