Spring <5.3.10> Spring Framework Vulnerable to Log File Injection via Insufficient Input Validation

Affects: \<5.3.10>

I used Synopsys security vulnerability check tool yesterday

Spring Framework 5.3.10 as follows

We have confirmed that there is a security vulnerability. I want to confirm the authenticity of the security vulnerability.

Black Duck Security Advisory Spring Framework Vulnerable to Log File Injection via Insufficient Input Validation ( BDSA-2021-3236 )

Description Spring Framework is vulnerable to log file injection due to the insufficient validation of user input in an undisclosed component. An attacker could leverage this issue in order to add arbitrary entries to a log file which could impact both the integrity issues and performance issues.

Comment From: mdeinum

Isn't this already mentioned with https://tanzu.vmware.com/security/cve-2021-22096? and solved in later versions of Spring 5.2/5.3? As mentioned in this blog.

Comment From: bclozel

As mentioned by @mdeinum, this has been announced on the proper channels and fixed already.

If you need more information about your tool, please reach out to your vendor.