Description

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Affected Spring Products and Versions

Spring Framework:

• 6.2.0 - 6.2.11
• 6.1.0 - 6.1.23
• 6.0.x - 6.0.29
• 5.3.0 - 5.3.45
• Older, unsupported versions are also affected.
…

Description

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

• The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
• An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
• An untrusted third party could create a route that uses SpEL to access environment variables or system properties if:
  • The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=true or management.endpoint.gateway.access=unrestricte.
  • …

Description

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for…

Description

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method…

Description

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.

An application should be considered vulnerable when all the following are true:

• The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
• Spring Boot actuator is a dependency.
• The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway…

Description

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences
• the application serves static resources with Spring resource handling
…

Description

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected Spring Products and Versions

Reactor…

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is…

Description

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.

Affected Spring Products and Versions

Spring Cloud Gateway Server:

• 2.2.10.RELEASE - 4.2.2, 4.3.0-{M1, M2, RC1}

Spring Cloud Gateway Server MVC:

Description

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.

Your application may be affected by this if the following are true:

1. You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
2. You have Spring Security method annotations on a private method
…