Attacker Value
Unknown
CVE-2021-22118
CVE-2021-22118
(Last updated November 28, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Products
- commerce guided search 11.3.2
- communications brm elastic charging engine 12.0.0.3
- communications cloud native core binding support function 1.9.0
- communications cloud native core policy 1.14.0
- communications cloud native core security edge protection proxy 1.6.0
- communications cloud native core service communication proxy 1.14.0
- communications cloud native core unified data repository 1.14.0
- communications diameter intelligence hub
- communications element manager
- communications interactive session recorder 6.4
- communications network integrity 7.3.6
- communications session report manager
- communications session route manager
- communications unified inventory management 7.4.1
- communications unified inventory management 7.4.2
- communications unified inventory management 7.5.0
- documaker
- enterprise data quality 12.2.1.3.0
- enterprise data quality 12.2.1.4.0
- financial services analytical applications infrastructure
- hci
- healthcare data repository 8.1.0
- insurance policy administration
- insurance rules palette 11.0.2
- insurance rules palette 11.1.0
- insurance rules palette 11.2.7
- insurance rules palette 11.3.0
- insurance rules palette 11.3.1
- management services for element software
- mysql enterprise monitor
- retail assortment planning 16.0
- retail customer management and segmentation foundation
- retail financial integration 14.1.3.2
- retail financial integration 15.0.3.1
- retail financial integration 16.0.3
- retail integration bus 14.1.3.2
- retail integration bus 15.0.3.1
- retail integration bus 16.0.3
- retail merchandising system 19.0.1
- retail order broker 16.0
- retail predictive application server 14.1.3
- retail predictive application server 15.0.3
- retail predictive application server 16.0.3
- spring framework
- utilities testing accelerator 6.0.0.1.1
- utilities testing accelerator 6.0.0.2.2
- utilities testing accelerator 6.0.0.3.1
References
Miscellaneous
