All Vulnerability Reports

CVE-2021-22044: Spring Cloud OpenFeign Client Endpoint Exposure


Severity

High

Vendor

Spring by VMware

Description

Applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level `@RequestMapping` on a Feign client interface has been discouraged in the documentation, but we're now taking the step to reject it completely.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Spring Cloud OpenFeign
    • 3.0.0 to 3.0.4
    • 2.2.0.RELEASE to 2.2.9.RELEASE
    • Older, unsupported versions are also affected
Mitigation

Users of affected versions should upgrade to one of the versions below. No other steps are necessary.

  • Spring Cloud OpenFeign
    • 3.0.5+
    • 2.2.10.RELEASE+
Credit

This vulnerability was discovered internally within the Spring team.

References
History

2021-10-27: Affected version corrected.
2021-10-26: Initial vulnerability report published.