Menu
in ,

Spring Framework Data Binding Rules Vulnerability (CVE-2022-2296

Table of Contents

Overview

While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.

Posted by SH

Leave a Reply

Exit mobile version