Skip to main content

Improper Output Neutralization for Logs

CVE-2021-22060

Severity Medium
Score 4.3/10

Summary

In Spring Framework versions 5.2.x before 5.2.19.RELEASE, 5.3.x before 5.3.14 and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-117 - Improper Output Neutralization for Logs

The software does not neutralize or incorrectly neutralizes output that is written to logs.

Advisory Timeline

  • Published