Cyber Resilience

CVE-2022-22968

Medium

Published: 14 April 2022

Published
14 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.2051 95.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22968 is a medium-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Vmware Spring Framework. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22968 is a case-sensitivity flaw in the Spring Framework's DataBinder component that handles disallowedFields patterns. It affects versions 5.3.0 through 5.3.18, 5.2.0 through 5.2.20, and older unsupported releases. Because the patterns treat uppercase and lowercase variants of the first character in field names (including nested properties) as distinct, a field listed only in one case remains writable.

An unauthenticated remote attacker can supply input that matches the opposite case of a protected field name, bypassing intended restrictions and achieving limited modification of application data. The vulnerability carries a CVSS 5.3 score reflecting network attack vector, low complexity, and integrity impact without confidentiality or availability consequences.

Vendor advisories from VMware Tanzu, Oracle, and NetApp address the issue and direct users to apply the corresponding Spring Framework updates. The associated EPSS score has remained essentially flat near 0.205 with no material post-disclosure rise.

EU & UK References

Vulnerability details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and…

more

lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring framework
≤ 5.2.0 · 5.2.0 — 5.2.20 · 5.3.0 — 5.3.18
netapp
active iq unified manager
all versions
netapp
cloud secure agent
all versions
netapp
metrocluster tiebreaker
all versions
netapp
snap creator framework
all versions
netapp
snapmanager
all versions
oracle
mysql enterprise monitor
≤ 8.0.29

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References