CVE-2022-22968
Published: 14 April 2022
Summary
CVE-2022-22968 is a medium-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Vmware Spring Framework. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-22968 is a case-sensitivity flaw in the Spring Framework's DataBinder component that handles disallowedFields patterns. It affects versions 5.3.0 through 5.3.18, 5.2.0 through 5.2.20, and older unsupported releases. Because the patterns treat uppercase and lowercase variants of the first character in field names (including nested properties) as distinct, a field listed only in one case remains writable.
An unauthenticated remote attacker can supply input that matches the opposite case of a protected field name, bypassing intended restrictions and achieving limited modification of application data. The vulnerability carries a CVSS 5.3 score reflecting network attack vector, low complexity, and integrity impact without confidentiality or availability consequences.
Vendor advisories from VMware Tanzu, Oracle, and NetApp address the issue and direct users to apply the corresponding Spring Framework updates. The associated EPSS score has remained essentially flat near 0.205 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1735
Vulnerability details
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and…
more
lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.