CVE-2021-22060
Description
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework log injection vulnerability allows attackers to insert arbitrary log entries via malicious input, affecting versions 5.3.0-5.3.13, 5.2.0-5.2.18, and older.
Vulnerability
In Spring Framework versions 5.3.0 to 5.3.13, 5.2.0 to 5.2.18, and older unsupported versions, a user can provide malicious input that causes the insertion of additional log entries. This is a follow-up to CVE-2021-22096, extending protection to additional input types and code paths. The vulnerability exists in the logging functionality where user-controlled data is logged without proper sanitization. [1][2]
Exploitation
An attacker can supply specially crafted input to an application using the affected Spring Framework versions. The input is processed and logged, resulting in the injection of arbitrary log entries. No authentication or special privileges are required if the application logs user-supplied data. The attacker can inject new lines or other log formatting characters to create fake log entries or obscure malicious activity. [1][2]
Impact
Successful exploitation allows an attacker to insert arbitrary log entries, potentially leading to log forging. This can be used to mislead security audits, hide malicious actions, or inject misleading information into log files. The integrity of log data is compromised, but no direct code execution or data disclosure is reported. [1][2]
Mitigation
Users should upgrade to Spring Framework 5.3.14+ or 5.2.19+ as appropriate. Older unsupported versions should be upgraded to a supported release. No workarounds are provided. The fix was released on January 5, 2022. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 5.3.0, < 5.3.14 | 5.3.14 |
org.springframework:spring-coreMaven | >= 5.2.0, < 5.2.19 | 5.2.19 |
Affected products
2- Spring/Spring Frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6gf2-pvqw-37phghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22060ghsaADVISORY
- tanzu.vmware.com/security/cve-2021-22060ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.