Description

Applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level @RequestMapping on a Feign client interface has been discouraged in the documentation, but we're now taking the step to reject it completely.

Affected Spring Products and Versions

Spring Cloud OpenFeign
- 3.0.0 to 3.0.4
- 2.2.0.RELEASE to 2.2.9.RELEASE
- Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to one of the versions below. No other steps are necessary.

Spring Cloud OpenFeign
- 3.0.5+
- 2.2.10.RELEASE+

Credit

This vulnerability was discovered internally within the Spring team.

History

2021-10-27: Affected version corrected. <br>2021-10-26: Initial vulnerability report published.

Reporting a vulnerability

The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.

To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.