Spring Security Advisories

All advisories

CVE-2021-22051: Spring Cloud Gateway Request Vulnerability

HIGH | NOVEMBER 04, 2021 | CVE-2021-22051

Description

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services.

Affected Spring Products and Versions

  • Spring Cloud Gateway
    • 3.0.0 to 3.0.4
    • 2.2.0.RELEASE to 2.2.9.RELEASE
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE+. No other steps are necessary. Releases that have fixed this issue include:

  • Spring Cloud Gateway
    • 3.0.5+
    • 2.2.10.RELEASE+

Credit

This vulnerability was discovered and responsibly reported by Frederico Biehl and Maxim Tyukov from the Backbase security team.

References

History

  • 2021-11-04: Initial vulnerability report published.

Reporting a vulnerability

The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.

To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all