Spring Security Advisories

All advisories

CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability

MEDIUM | FEBRUARY 11, 2021 | CVE-2021-22113

Description

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Affected Spring Products and Versions

  • Spring Cloud Netflix Zuul
    • 2.2.6 and below

Mitigation

Users should upgrade to 2.2.7 and higher. Releases that have fixed this issue include:

  • Spring Cloud Netflix Zuul
    • 2.2.7

Credit

This issue was identified and responsibly reported by threedr3am (threedr3am at foxmail.com).

References

History

  • 2021-02-11: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all