Headline
GHSA-fv7x-v67w-cvqv: Spring Data REST can expose hidden entity attributes
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
Package
maven org.springframework.data:spring-data-rest-core (Maven)
Affected versions
>= 3.6.0, < 3.6.7
>= 3.7.0, < 3.7.3
Patched versions
3.6.7
3.7.3
Related news
CVE-2022-31679: CVE-2022-31679 | Security
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.