All Vulnerability Reports

CVE-2021-22051: Spring Cloud Gateway Request Vulnerability

Severity

High

Vendor

Spring by VMware

Description

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• Spring Cloud Gateway
  • 3.0.0 to 3.0.4
  • 2.2.0.RELEASE to 2.2.9.RELEASE
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE+. No other steps are necessary. Releases that have fixed this issue include:

• Spring Cloud Gateway
  • 3.0.5+
  • 2.2.10.RELEASE+

Credit

This vulnerability was discovered and responsibly reported by Frederico Biehl and Maxim Tyukov from the Backbase security team.

References

• https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C

History

2021-11-04: Initial vulnerability report published.