Vulnerability in Oracle Communications_element_manager
CVE-2021-22112
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cann…
EPSS: 0.032 (86.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Oracle Communications_element_manager
- Oracle Communications_interactive_session_recorder — versions 6.3, 6.4
- Oracle Communications_unified_inventory_management — versions 7.4.1
- Oracle Hospitality_cruise_shipboard_property_management_system — versions 20.1.0
- Oracle Insurance_policy_administration — versions 11.2.0, 11.3.0
- Oracle Mysql_enterprise_monitor
- Pivotal_software Spring_security
- Vmware Spring_security
- N/a Spring Security — versions 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE
Public proof-of-concept exploits
References
- security@vmware.com (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (Patch, Third Party Advisory, x_refsource_MISC)
- security@vmware.com (x_refsource_MISC, Vendor Advisory)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (mailing-list, x_refsource_MLIST)
- security@vmware.com (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-22112?
- CVE-2021-22112 is a high-severity vulnerability in Oracle Communications_element_manager. CVSS score: 8.8/10. Published 2021-02-23.
- How severe is CVE-2021-22112?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2021-22112 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.