CVE-2021-22096
Description
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework log injection vulnerability allows attackers to forge log entries via malicious input.
Vulnerability
CVE-2021-22096 is a log injection vulnerability in Spring Framework versions 5.3.0 to 5.3.10, 5.2.0 to 5.2.17, and older unsupported versions [1][3]. The flaw lies in the logging mechanism, where user-supplied input is not properly sanitized, allowing an attacker to insert arbitrary content into application log entries [1][3]. No special configuration is required to reach the vulnerable code path; the issue occurs wherever user input is logged without validation.
Exploitation
To exploit this vulnerability, an attacker does not need authentication or a specific network position — exploitation can be performed remotely [3]. The attacker provides a crafted string (e.g., containing newline characters) that, when processed and written to logs by the affected Spring Framework version, results in the insertion of additional, misleading log lines [1][3]. No user interaction beyond normal application usage is required for the attack to succeed. The CVSS vector indicates low attack complexity, no privileges required, and user interaction is not required [3].
Impact
Successful exploitation allows an attacker to inject arbitrary log entries, potentially misleading administrators or automated log analysis tools [1]. This can be used to hide malicious activity, tamper with audit trails, or perform log poisoning attacks [3]. The confidentiality and integrity impacts are low, as the attacker does not gain direct access to data or execute code, but the credibility of logs is undermined, which can have downstream security repercussions [3].
Mitigation
The vulnerability is fixed in Spring Framework 5.2.18+ and 5.3.12+ [3]. Users of 5.3.x versions should upgrade to 5.3.12 or later (note: 5.3.11 contains the fix but has a major regression, so 5.3.12 is recommended) [3]. Users of 5.2.x should upgrade to 5.2.18 or later. For older unsupported versions, upgrading to a supported release is the only advised mitigation, as no other workaround is provided [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 5.3.0, < 5.3.11 | 5.3.11 |
org.springframework:spring-coreMaven | >= 5.2.0, < 5.2.18 | 5.2.18 |
org.springframework:springMaven | >= 5.2.0, < 5.2.18 | 5.2.18 |
org.springframework:springMaven | >= 5.3.0, < 5.3.11 | 5.3.11 |
Affected products
3- Spring/Spring Frameworkdescription
- ghsa-coords2 versions
>= 5.2.0, < 5.2.18+ 1 more
- (no CPE)range: >= 5.2.0, < 5.2.18
- (no CPE)range: >= 5.3.0, < 5.3.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-rfmp-97jj-h8m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22096ghsaADVISORY
- security.netapp.com/advisory/ntap-20211125-0005ghsaWEB
- security.netapp.com/advisory/ntap-20211125-0005/mitrex_refsource_CONFIRM
- tanzu.vmware.com/security/cve-2021-22096ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.