CVE-2021-22051 – org.springframework.cloud:spring-cloud-gateway

Package

Manager: maven
Name: org.springframework.cloud:spring-cloud-gateway
Vulnerable Version: >=3.0.0 <3.0.5 || >=2.2.0 <2.2.10.release0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00184 pctl0.40345

Details

Request injection in Spring Cloud Gateway Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.

Metadata

Created: 2021-11-10T19:45:02Z
Modified: 2021-11-10T19:44:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-2r2v-q399-qq93/GHSA-2r2v-q399-qq93.json
CWE IDs: ["CWE-352", "CWE-863"]
Alternative ID: GHSA-2r2v-q399-qq93
Finding: F007
Auto approve: 1