Spring Security Advisories

CVE-2021-22044: Spring Cloud OpenFeign Client Endpoint Exposure

HIGH | OCTOBER 26, 2021 | CVE-2021-22044

Description

Applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level @RequestMapping on a Feign client interface has been discouraged in the documentation, but we're now taking the step to reject it completely.

Affected Spring Products and Versions

  • Spring Cloud OpenFeign
    • 3.0.0 to 3.0.4
    • 2.2.0.RELEASE to 2.2.9.RELEASE
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to one of the versions below. No other steps are necessary.

  • Spring Cloud OpenFeign
    • 3.0.5+
    • 2.2.10.RELEASE+

Credit

This vulnerability was discovered internally within the Spring team.

History

  • 2021-10-27: Affected version corrected. <br>2021-10-26: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all