CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability
Severity
Medium
Vendor
Spring by VMware
Description
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
This is based on the CVSS calculated here.
-
Spring Cloud Netflix Zuul
- 2.2.6 and below
Mitigation
Users should upgrade to 2.2.7 and higher. Releases that have fixed this issue include:
-
Spring Cloud Netflix Zuul
- 2.2.7
Credit
This issue was identified and responsibly reported by threedr3am (threedr3am at foxmail.com).
References
History
2021-02-11: Initial vulnerability report published.