CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Published: 2021-05-27 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-22118 is rated Moderate Risk (48.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.25%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-22118

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-01-16 0.19% 0.25% +0.06%
2 2025-11-21 0.38% 0.19% -0.18%
3 2025-11-18 0.38%

Full EPSS history (23 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-22118

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]
4.6 2.0 MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 3.9 6.4 [email protected]

Weakness enumeration for CVE-2021-22118

GitHub Security Advisory for CVE-2021-22118

GHSA-gfwj-fwqj-fp3v · Severity: high · Ecosystem: maven — Improper Privilege Management in Spring Framework

OS Trackers for CVE-2021-22118

vendor priority summary link
debian unimportant CVE-2021-22118 unimportant priority: Debian including 1 source packages (libspring-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-22118
redhat medium https://access.redhat.com/security/cve/CVE-2021-22118
ubuntu medium CVE-2021-22118 medium priority: Ubuntu including 1 source packages (libspring-java), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 14, needed 1, released 1. https://ubuntu.com/security/CVE-2021-22118

Affected software / configurations for CVE-2021-22118

Vendor Product Version Raw CPE
vmware spring_framework >= 5.2.0, < 5.2.15 cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
vmware spring_framework >= 5.3.0, < 5.3.7 cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 12.0.0.3 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
oracle communications_cloud_native_core_binding_support_function 1.9.0 cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_policy 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_security_edge_protection_proxy 1.6.0 cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_service_communication_proxy 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_unified_data_repository 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*
oracle communications_diameter_intelligence_hub >= 8.0.0, <= 8.1.0 cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*
oracle communications_diameter_intelligence_hub >= 8.2.0, <= 8.2.3 cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*
oracle communications_element_manager >= 8.2.0, <= 8.2.4.0 cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
oracle communications_interactive_session_recorder 6.4 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
oracle communications_network_integrity 7.3.6 cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
oracle communications_session_report_manager >= 8.0.0, <= 8.2.4.0 cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
oracle communications_session_route_manager >= 8.0.0, <= 8.2.4.0 cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.5.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*
oracle documaker >= 12.6.0, <= 12.6.4 cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*
oracle enterprise_data_quality 12.2.1.3.0 cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
oracle enterprise_data_quality 12.2.1.4.0 cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.0.8, <= 8.1.1 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle healthcare_data_repository 8.1.0 cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*
oracle insurance_policy_administration >= 11.0, <= 11.3.1 cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.0.2 cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.1.0 cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.2.7 cpe:2.3:a:oracle:insurance_rules_palette:11.2.7:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.3.0 cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.3.1 cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor <= 8.0.25 cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle retail_assortment_planning 16.0 cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
oracle retail_customer_management_and_segmentation_foundation >= 16.0, <= 19.0 cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
oracle retail_financial_integration 14.1.3.2 cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
oracle retail_financial_integration 15.0.3.1 cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*
oracle retail_financial_integration 16.0.3 cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
oracle retail_integration_bus 14.1.3.2 cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
oracle retail_integration_bus 15.0.3.1 cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*
oracle retail_integration_bus 16.0.3 cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
oracle retail_merchandising_system 19.0.1 cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
oracle retail_order_broker 16.0 cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.1.3 cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
oracle retail_predictive_application_server 15.0.3 cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
oracle retail_predictive_application_server 16.0.3 cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*
oracle utilities_testing_accelerator 6.0.0.1.1 cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
oracle utilities_testing_accelerator 6.0.0.2.2 cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
oracle utilities_testing_accelerator 6.0.0.3.1 cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*
netapp hci cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*
netapp management_services_for_element_software cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

References for CVE-2021-22118

cvelogic Threat Intelligence