Spring Security Advisories

CVE-2022-31679: Potential Unintended Data Exposure for Resource Exposed by Spring Data REST

MEDIUM | SEPTEMBER 19, 2022 | CVE-2022-31679

Description

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

Workarounds: If the resources exposed by Spring Data REST do not need to support HTTP PATCH requests, you can disable that support as described here. Applications that have generally disabled HTTP PATCH support, either through the corresponding configuration of Spring Data REST, Spring Boot or through their runtime infrastructure, are not affected, either.

Affected Spring Products and Versions

  • Spring Data REST
    • 3.6.0 to 3.6.6
    • 3.7.0 to 3.7.2
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.6.x users should upgrade to 3.6.7+ (included in Spring Boot 2.6.12+). 3.7.x users should upgrade to 3.7.3+ (included in Spring Boot 2.7.4+). No other steps are necessary. Releases that have fixed this issue include:

  • Spring Data REST
    • 3.6.7+
    • 3.7.3+

Credit

This vulnerability was initially discovered and responsibly reported by 白帽酱 @burpheart.

History

  • 2022-09-19: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all