Vulnerabilities > CVE-2021-22118 - Exposure of Resource to Wrong Sphere vulnerability in multiple products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

NVD

Published: 2021-05-27

Updated: 2022-10-25

Summary

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Spring Framework 5.2.0 Vmware Spring Framework 5.2.1 Vmware Spring Framework 5.2.2 Vmware Spring Framework 5.2.3 Vmware Spring Framework 5.2.4 Vmware Spring Framework 5.2.5 Vmware Spring Framework 5.2.6 Vmware Spring Framework 5.2.7 Vmware Spring Framework 5.2.8 Vmware Spring Framework 5.2.9 Vmware Spring Framework 5.2.10 Vmware Spring Framework 5.2.11 Vmware Spring Framework 5.2.12 Vmware Spring Framework 5.2.13 Vmware Spring Framework 5.2.14 Vmware Spring Framework 5.3.0 Vmware Spring Framework 5.3.1 Vmware Spring Framework 5.3.2 Vmware Spring Framework 5.3.3 Vmware Spring Framework 5.3.4 Vmware Spring Framework 5.3.5 Vmware Spring Framework 5.3.6	31
Application	Oracle Oracle Retail Order Broker 16.0 Oracle Retail Predictive Application Server 15.0.3 Oracle Retail Predictive Application Server 14.1.3 Oracle Retail Predictive Application Server 16.0.3 Oracle Enterprise Data Quality 12.2.1.3.0 Oracle Enterprise Data Quality 12.2.1.4.0 Oracle Retail Assortment Planning 16.0 Oracle Retail Financial Integration 16.0.3 Oracle Retail Financial Integration 14.1.3.2 Oracle Retail Financial Integration 15.0.3.1 Oracle Communications Network Integrity 7.3.6 Oracle Retail Integration BUS 16.0.3 Oracle Retail Integration BUS 14.1.3.2 Oracle Retail Integration BUS 15.0.3.1 Oracle Insurance Rules Palette 11.0.2 Oracle Insurance Rules Palette 11.1.0 Oracle Insurance Rules Palette 11.3.1 Oracle Insurance Rules Palette 11.2.7 Oracle Insurance Rules Palette 11.3.0 Oracle Communications Interactive Session Recorder 6.4 Oracle Commerce Guided Search 11.3.2 Oracle Communications Unified Inventory Management 7.4.1 Oracle Communications Unified Inventory Management 7.4.2 Oracle Communications Unified Inventory Management 7.5.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0.1 Oracle Retail Customer Management AND Segmentation Foundation 16.0.2 Oracle Retail Customer Management AND Segmentation Foundation 17.0 Oracle Retail Customer Management AND Segmentation Foundation 17.0.1 Oracle Retail Customer Management AND Segmentation Foundation 18.0 Oracle Retail Customer Management AND Segmentation Foundation 18.1 Oracle Retail Customer Management AND Segmentation Foundation 19.0 Oracle Communications Element Manager 8.2.0 Oracle Communications Element Manager 8.2.0.0 Oracle Communications Element Manager 8.2.1 Oracle Communications Element Manager 8.2.2 Oracle Communications Element Manager 8.2.2.1 Oracle Communications Element Manager 8.2.4.0 Oracle Insurance Policy Administration 11.0 Oracle Insurance Policy Administration 11.0.2 Oracle Insurance Policy Administration 11.1.0 Oracle Insurance Policy Administration 11.2.0 Oracle Insurance Policy Administration 11.2.7 Oracle Insurance Policy Administration 11.2.8 Oracle Insurance Policy Administration 11.3.0 Oracle Insurance Policy Administration 11.3.1 Oracle Healthcare Data Repository 8.1.0 Oracle Documaker 12.6.0 Oracle Documaker 12.6.3 Oracle Documaker 12.6.4 Oracle Mysql Enterprise Monitor - Oracle Mysql Enterprise Monitor 2.3.14 Oracle Mysql Enterprise Monitor 3.0.4 Oracle Mysql Enterprise Monitor 3.0.25 Oracle Mysql Enterprise Monitor 3.1.0 Oracle Mysql Enterprise Monitor 3.1.1 Oracle Mysql Enterprise Monitor 3.1.2 Oracle Mysql Enterprise Monitor 3.1.3 Oracle Mysql Enterprise Monitor 3.1.3.7856 Oracle Mysql Enterprise Monitor 3.1.4 Oracle Mysql Enterprise Monitor 3.1.5 Oracle Mysql Enterprise Monitor 3.1.6 Oracle Mysql Enterprise Monitor 3.1.6.8003 Oracle Mysql Enterprise Monitor 3.1.7 Oracle Mysql Enterprise Monitor 3.2.0 Oracle Mysql Enterprise Monitor 3.2.1 Oracle Mysql Enterprise Monitor 3.2.2 Oracle Mysql Enterprise Monitor 3.2.3 Oracle Mysql Enterprise Monitor 3.2.4 Oracle Mysql Enterprise Monitor 3.2.5 Oracle Mysql Enterprise Monitor 3.2.6 Oracle Mysql Enterprise Monitor 3.2.7 Oracle Mysql Enterprise Monitor 3.2.8 Oracle Mysql Enterprise Monitor 3.2.8.2223 Oracle Mysql Enterprise Monitor 3.2.9 Oracle Mysql Enterprise Monitor 3.2.10 Oracle Mysql Enterprise Monitor 3.2.1182 Oracle Mysql Enterprise Monitor 3.3.0 Oracle Mysql Enterprise Monitor 3.3.1 Oracle Mysql Enterprise Monitor 3.3.2 Oracle Mysql Enterprise Monitor 3.3.2.1162 Oracle Mysql Enterprise Monitor 3.3.3 Oracle Mysql Enterprise Monitor 3.3.4 Oracle Mysql Enterprise Monitor 3.3.4.3247 Oracle Mysql Enterprise Monitor 3.3.5 Oracle Mysql Enterprise Monitor 3.3.6 Oracle Mysql Enterprise Monitor 3.3.6.3293 Oracle Mysql Enterprise Monitor 3.3.7 Oracle Mysql Enterprise Monitor 3.3.8 Oracle Mysql Enterprise Monitor 3.3.9 Oracle Mysql Enterprise Monitor 3.4.0 Oracle Mysql Enterprise Monitor 3.4.1 Oracle Mysql Enterprise Monitor 3.4.2 Oracle Mysql Enterprise Monitor 3.4.2.4181 Oracle Mysql Enterprise Monitor 3.4.3 Oracle Mysql Enterprise Monitor 3.4.4 Oracle Mysql Enterprise Monitor 3.4.4.4226 Oracle Mysql Enterprise Monitor 3.4.5 Oracle Mysql Enterprise Monitor 3.4.6 Oracle Mysql Enterprise Monitor 3.4.7 Oracle Mysql Enterprise Monitor 3.4.7.4297 Oracle Mysql Enterprise Monitor 3.4.8 Oracle Mysql Enterprise Monitor 3.4.9 Oracle Mysql Enterprise Monitor 3.4.9.4237 Oracle Mysql Enterprise Monitor 3.4.10 Oracle Mysql Enterprise Monitor 4.0.0 Oracle Mysql Enterprise Monitor 4.0.0.5135 Oracle Mysql Enterprise Monitor 4.0.1 Oracle Mysql Enterprise Monitor 4.0.2 Oracle Mysql Enterprise Monitor 4.0.3 Oracle Mysql Enterprise Monitor 4.0.4 Oracle Mysql Enterprise Monitor 4.0.4.5235 Oracle Mysql Enterprise Monitor 4.0.5 Oracle Mysql Enterprise Monitor 4.0.6 Oracle Mysql Enterprise Monitor 4.0.6.5281 Oracle Mysql Enterprise Monitor 4.0.7 Oracle Mysql Enterprise Monitor 4.0.8 Oracle Mysql Enterprise Monitor 4.0.11.5331 Oracle Mysql Enterprise Monitor 4.0.12 Oracle Mysql Enterprise Monitor 4.1 Oracle Mysql Enterprise Monitor 8.0.0 Oracle Mysql Enterprise Monitor 8.0.0.8131 Oracle Mysql Enterprise Monitor 8.0.1 Oracle Mysql Enterprise Monitor 8.0.2 Oracle Mysql Enterprise Monitor 8.0.2.8191 Oracle Mysql Enterprise Monitor 8.0.3 Oracle Mysql Enterprise Monitor 8.0.14 Oracle Mysql Enterprise Monitor 8.0.18.1217 Oracle Mysql Enterprise Monitor 8.0.20 Oracle Mysql Enterprise Monitor 8.0.21 Oracle Mysql Enterprise Monitor 8.0.22 Oracle Mysql Enterprise Monitor 8.0.23 Oracle Mysql Enterprise Monitor 8.0.25 Oracle Communications Session Report Manager 8.0.0 Oracle Communications Session Report Manager 8.0.0.0 Oracle Communications Session Report Manager 8.1.0 Oracle Communications Session Report Manager 8.1.1 Oracle Communications Session Report Manager 8.2.0 Oracle Communications Session Report Manager 8.2.1 Oracle Communications Session Report Manager 8.2.2 Oracle Communications Session Report Manager 8.2.2.1 Oracle Communications Session Report Manager 8.2.4.0 Oracle Communications BRM Elastic Charging Engine 12.0.0.3 Oracle Communications Session Route Manager 8.0.0 Oracle Communications Session Route Manager 8.1.0 Oracle Communications Session Route Manager 8.1.1 Oracle Communications Session Route Manager 8.2.0 Oracle Communications Session Route Manager 8.2.0.0 Oracle Communications Session Route Manager 8.2.1 Oracle Communications Session Route Manager 8.2.2 Oracle Communications Session Route Manager 8.2.2.1 Oracle Communications Session Route Manager 8.2.4 Oracle Communications Session Route Manager 8.2.4.0 Oracle Retail Merchandising System 19.0.1 Oracle Utilities Testing Accelerator 6.0.0.2.2 Oracle Utilities Testing Accelerator 6.0.0.3.1 Oracle Utilities Testing Accelerator 6.0.0.1.1 Oracle Communications Cloud Native Core Policy 1.14.0 Oracle Communications Cloud Native Core Unified Data Repository 1.14.0 Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0 Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.6.0 Oracle Communications Cloud Native Core Binding Support Function 1.9.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.8 Oracle Financial Services Analytical Applications Infrastructure 8.0.8.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.9 Oracle Financial Services Analytical Applications Infrastructure 8.0.9.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.1.0.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.1.1 Oracle Communications Diameter Intelligence HUB 8.0.0 Oracle Communications Diameter Intelligence HUB 8.1.0 Oracle Communications Diameter Intelligence HUB 8.2.0 Oracle Communications Diameter Intelligence HUB 8.2.3	173
Application	Netapp Netapp HCI - Netapp Management Services FOR Element Software -	2

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References