CVE-2021-22044: Spring Cloud OpenFeign Client Endpoint Exposure

Severity

High

Vendor

Spring by VMware

Description

Applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level `@RequestMapping` on a Feign client interface has been discouraged in the documentation, but we're now taking the step to reject it completely.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

Spring Cloud OpenFeign
- 3.0.0 to 3.0.4
- 2.2.0.RELEASE to 2.2.9.RELEASE
- Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to one of the versions below. No other steps are necessary.

Spring Cloud OpenFeign
- 3.0.5+
- 2.2.10.RELEASE+

Credit

This vulnerability was discovered internally within the Spring team.

References

https://docs.spring.io/spring-cloud-openfeign/docs/3.0.4/reference/html/#spring-cloud-feign-inheritance

History

2021-10-27: Affected version corrected.
2021-10-26: Initial vulnerability report published.

Pourquoi Tanzu

Produits

Consulting

Démarrer

Ressources