Описание
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Отчет
In OpenShift Container Platform (OCP) the jenkins package bundles the vulnerable version of spring-framework, but as Jenkins is not a type of WebFlux application is not impacted by this vulnerability. Therefore the OCP components have been marked as affected/wontfix. This may be fixed in a future release.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | spring-web | Not affected | ||
| Red Hat CodeReady Studio 12 | spring-web | Will not fix | ||
| Red Hat Decision Manager 7 | spring-web | Not affected | ||
| Red Hat Decision Manager 7 | spring-webmvc | Not affected | ||
| Red Hat Fuse 7 | spring-webmvc | Not affected | ||
| Red Hat JBoss A-MQ 6 | spring-web | Not affected | ||
| Red Hat JBoss Fuse 6 | spring-web | Not affected | ||
| Red Hat JBoss Fuse 6 | spring-webmvc | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | jenkins | Will not fix |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x ...
Improper Privilege Management in Spring Framework
Уязвимость программной платформы Spring Framework, вызваная ошибками управления привилегиями, позволяющая нарушителю читать и перезаписывать произвольные файлы
7.1 High
CVSS3