CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability

Severity

Medium

Vendor

Spring by VMware

Description

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

This is based on the CVSS calculated here.

Spring Cloud Netflix Zuul
- 2.2.6 and below

Mitigation

Users should upgrade to 2.2.7 and higher. Releases that have fixed this issue include:

Spring Cloud Netflix Zuul
- 2.2.7

Credit

This issue was identified and responsibly reported by threedr3am (threedr3am at foxmail.com).

References

https://docs.spring.io/spring-cloud-netflix/docs/2.2.6.RELEASE/reference/html/#cookies-and-sensitive-headers

History

2021-02-11: Initial vulnerability report published.

Paving the Road to Modern Apps

Tanzu Basic Edition

Tanzu Standard Edition

Tanzu Advanced Edition

CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability