GHSA-gq28-h5vg-8prx · Severity: high · Ecosystem: maven — Privilege escalation in spring security
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Conclusion & alert: CVE-2021-22112 is rated Moderate Risk (62/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.98%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-26 | 1.07% | 0.98% | -0.09% |
| 2 | 2026-05-22 | 0.98% | 1.07% | +0.09% |
| 3 | 2025-11-21 | — | 0.98% | — |
Full EPSS history (23 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 9.0 | 2.0 | HIGH |
|
8.0 | 10.0 | [email protected] |
GHSA-gq28-h5vg-8prx · Severity: high · Ecosystem: maven — Privilege escalation in spring security
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2021-22112 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| pivotal_software | spring_security | < 5.2.9 | cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:* |
| pivotal_software | spring_security | >= 5.3.0, < 5.3.8 | cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:* |
| vmware | spring_security | >= 5.4.0, < 5.4.4 | cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* |
| oracle | communications_element_manager | >= 8.2.0, <= 8.2.4.0 | cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* |
| oracle | communications_interactive_session_recorder | 6.3 | cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:* |
| oracle | communications_interactive_session_recorder | 6.4 | cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.1 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* |
| oracle | hospitality_cruise_shipboard_property_management_system | 20.1.0 | cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.2.0 | cpe:2.3:a:oracle:insurance_policy_administration:11.2.0:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.3.0 | cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:* |
| oracle | mysql_enterprise_monitor | <= 8.0.25 | cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* |