7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-22968

GHSA ID

GHSA-g5mm-vmx4-3rg7

EPSS Score

0.9561%

CWE

CWE-178

Published

4/15/2022

Updated

5/15/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-22968

CVE-2022-22968: Improper handling of case sensitivity in Spring Framework

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-22968

GHSA ID

GHSA-g5mm-vmx4-3rg7

EPSS Score

0.9561%

CWE

CWE-178

Published

4/15/2022

Updated

5/15/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-context	maven	>= 5.3.0, < 5.3.19	5.3.19
org.springframework:spring-context	maven	< 5.2.21.RELEASE	5.2.21.RELEASE

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from case-sensitive handling of disallowed field patterns. The pre-patch setDisallowedFields() method stored patterns in canonical form without case normalization, while isAllowed() performed case-sensitive matching. This required developers to list both uppercase and lowercase variants of field names for effective protection. The commit shows these functions were modified to add lowercase conversion (setDisallowedFields) and case-insensitive matching (isAllowed), confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sprin* *r*m*work v*rsions *.*.* - *.*.**, *.*.* - *.*.**, *n* ol**r unsupport** v*rsions, t** p*tt*rns *or *is*llow***i*l*s on * **t**in**r *r* **s* s*nsitiv* w*i** m**ns * *i*l* is not *****tiv*ly prot**t** unl*ss it is list** wit* *ot* upp*r *n*

Reasoning

T** vuln*r**ility st*mm** *rom **s*-s*nsitiv* **n*lin* o* *is*llow** *i*l* p*tt*rns. T** pr*-p*t** s*t*is*llow***i*l*s() m*t*o* stor** p*tt*rns in **noni**l *orm wit*out **s* norm*liz*tion, w*il* is*llow**() p*r*orm** **s*-s*nsitiv* m*t**in*. T*is r*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-22968: Improper handling of case sensitivity in Spring Framework

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI