VMware Spring Boot < 2.5.13, 2.6.x < 2.6.7 Data Binding Rules Vulnerability

# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:vmware:spring_boot";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.113904");
  script_version("2024-01-23T05:05:19+0000");
  script_tag(name:"last_modification", value:"2024-01-23 05:05:19 +0000 (Tue, 23 Jan 2024)");
  script_tag(name:"creation_date", value:"2022-04-19 10:56:39 +0000 (Tue, 19 Apr 2022)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-05-10 18:49:00 +0000 (Tue, 10 May 2022)");

  script_cve_id("CVE-2022-22968");

  script_name("VMware Spring Boot < 2.5.13, 2.6.x < 2.6.7 Data Binding Rules Vulnerability");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_vmware_spring_boot_consolidation.nasl");
  script_mandatory_keys("vmware/spring/boot/detected");

  script_xref(name:"URL", value:"https://tanzu.vmware.com/security/cve-2022-22968");
  script_xref(name:"URL", value:"https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968");

  script_tag(name:"summary", value:"VMware Spring Boot is prone to a data binding rules
  vulnerability in the used Spring Framework.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"In Spring Framework the patterns for disallowedFields on a
  DataBinder are case sensitive which means a field is not effectively protected unless it is listed
  with both upper and lower case for the first character of the field, including upper and lower
  case for the first character of all nested fields within the property path.");

  script_tag(name:"affected", value:"VMware Spring Boot versions prior to 2.5.13 and 2.6.x prior to
  2.6.7.

  The following are the requirements for an environment to be affected to this specific
  vulnerability:

  - Registration of 'disallowed field patterns' in a 'DataBinder'

  - spring-webmvc or spring-webflux dependency

  - an affected version of Spring Boot");

  script_tag(name:"solution", value:"Update to Spring Boot version 2.5.13, 2.6.7 or later.");

  # nb: See affected tag for specific constraints / requirements for being vulnerable.
  script_tag(name:"qod_type", value:"executable_version_unreliable");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( isnull( port = get_app_port( cpe:CPE ) ) )
  exit( 0 );

if( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )
  exit( 0 );

version = infos["version"];
location = infos["location"];

if( version_is_less( version:version, test_version:"2.5.13" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"2.5.13/2.6.7", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

if( version_in_range_exclusive( version:version, test_version_lo:"2.6.0", test_version_up:"2.6.7" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"2.6.7", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );