Headline
CVE-2022-31679: CVE-2022-31679 | Security
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
All Vulnerability Reports
CVE-2022-31679: Potential Unintended Data Exposure for Resource Exposed by Spring Data REST
Severity
Medium
Vendor
Spring by VMware
Description
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
Workarounds: If the resources exposed by Spring Data REST do not need to support HTTP PATCH requests, you can disable that support as described here. Applications that have generally disabled HTTP PATCH support, either through the corresponding configuration of Spring Data REST, Spring Boot or through their runtime infrastructure, are not affected, either.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Spring Data REST
- 3.6.0 to 3.6.6
- 3.7.0 to 3.7.2
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigation: 3.6.x users should upgrade to 3.6.7+ (included in Spring Boot 2.6.12+). 3.7.x users should upgrade to 3.7.3+ (included in Spring Boot 2.7.4+). No other steps are necessary. Releases that have fixed this issue include:
- Spring Data REST
- 3.6.7+
- 3.7.3+
Credit
This vulnerability was initially discovered and responsibly reported by 白帽酱 @burpheart.
References
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N&version=3.1
History
2022-09-19: Initial vulnerability report published.
Related news
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.