CVE-2022-22970: 
Java vulnerability analysis and mitigation

Spring Framework versions prior to 5.3.20+, 5.2.22+ and older unsupported versions contain a vulnerability where applications handling file uploads are susceptible to Denial of Service (DoS) attacks when using data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. The vulnerability was discovered in May 2022 and is tracked as CVE-2022-22970 (Spring Security).

The vulnerability affects Spring MVC and Spring WebFlux applications that handle file uploads through data binding functionality. It has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with high attack complexity, requiring low privileges, and potentially resulting in high availability impact (NVD).

A successful exploitation of this vulnerability could lead to a Denial of Service condition, affecting the availability of the application. The attack specifically targets the file upload functionality when using data binding mechanisms (Spring Security).

Users of affected versions should upgrade to Spring Framework version 5.3.20 for 5.3.x users or version 5.2.22 for 5.2.x users. No additional mitigation steps are necessary beyond the version upgrade (Spring Security).

The vulnerability was responsibly reported to VMware by Rob Ryan from Adobe Inc., with related variations reported by WeBin Lab of Dbappsecurity and Vivek Sharm from Arcesium (Spring Security).