Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

• You use Spring Security
• EndpointRequest.to() has been used in a Spring Security chain configuration
• The endpoint which EndpointRequest references is disabled or not exposed via web
• Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

• You don't use Spring Security
• You don't use EndpointRequest.to()
• The endpoint which EndpointRequest.to() refers to is enabled and is exposed
• Your application does not handle requests to /null or this path does not need protection

Affected Spring Products and Versions

Spring Boot:

• 2.7.0 - 2.7.24.2
• 3.1.0 - 3.1.15.2
• 3.2.0 - 3.2.13.2
• 3.3.0 - 3.3.10
• 3.4.0 - 3.4.4
• Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

If you cannot upgrade, then you can either:

• Make sure that the endpoint to which EndpointRequest.to() is referring to is enabled and exposed via web
• Make sure that you don't handle requests to /null

Credit

This vulnerability was discovered and responsibly reported by Janek Bettinger ([email protected]).

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C&version=3.1