1. Home
  2. Vulnerabilities
  3. CVE-2021-22112

CVE-2021-22112

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 9 (High)
90% Progress
EPSS 0.26 % (66th)
0.26% Progress
Affected Products 8
Advisories 2
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Weaknesses
CWE-NVD-noinfo
CVE Status
PUBLISHED
CNA
VMware
Published Date
2021-02-23 19:15:13
(3 years ago)
Updated Date
2023-11-07 03:30:09
(10 months ago)

Affected Products

Oracle

Pivotal Software

Vmware

Configuration #1

    CPE23 From Up To
  Pivotal Software Spring Security prior 5.2.9 version cpe:2.3:a:pivotal_software:spring_security < 5.2.9
  Pivotal Software Spring Security from 5.3.0 version and prior 5.3.8 version cpe:2.3:a:pivotal_software:spring_security >= 5.3.0 < 5.3.8
  Vmware Spring Security from 5.4.0 version and prior 5.4.4 version cpe:2.3:a:vmware:spring_security >= 5.4.0 < 5.4.4

Configuration #2

    CPE23 From Up To
  Oracle Communications Element Manager from 8.2.0 version and 8.2.4.0 and prior versions cpe:2.3:a:oracle:communications_element_manager >= 8.2.0 <= 8.2.4.0
  Oracle Communications Interactive Session Recorder 6.3 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3
  Oracle Communications Interactive Session Recorder 6.4 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4
  Oracle Communications Unified Inventory Management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
  Oracle Hospitality Cruise Shipboard Property Management System 20.1.0 cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0
  Oracle Insurance Policy Administration 11.2.0 cpe:2.3:a:oracle:insurance_policy_administration:11.2.0
  Oracle Insurance Policy Administration 11.3.0 cpe:2.3:a:oracle:insurance_policy_administration:11.3.0
  Oracle Mysql Enterprise Monitor 8.0.25 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor <= 8.0.25