Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-22970

Denial of Service
Affects
Spring Framework
<5.2.22, >=5.3.0 <5.3.20
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

A Denial of Service (DoS) vulnerability (CVE-2022-22970) has been identified in the spring-beans package in Spring Framework which allows attackers to overwhelm servers with special crafted requests if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Per OWASP: The denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case, the vulnerability allows excessively large or too many files to be involved thereby consuming most system resources and denying other users access.

This issue affects multiple versions of spring-beans from Spring Framework.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the spring-beans.jar module of the Spring Framework.

When an application uses data binding to automatically map HTTP request parameters to fields in a model object, it may include fields of type MultipartFile or javax.servlet.Part to handle file uploads. The Spring Framework attempts to bind any matching request data to these fields. This becomes problematic when there is no limit on the size or number of files being bound, allowing attackers to submit excessively large or numerous files. This can overwhelm the server's memory, CPU, or disk storage, leading to a DoS condition.

Credits

  • VMWare

Mitigation

Spring Framework 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-22970
PROJECT Affected
Spring Framework
Versions Affected
<5.2.22, >=5.3.0 <5.3.20
Published date
May 11, 2022
≈ Fix date
May 11, 2022
Fixed in
NES for Spring
Severity
Medium
Category
Denial of Service