Description

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.

Affected Spring Products and Versions

Spring Cloud Gateway Server:

• 2.2.10.RELEASE - 4.2.2, 4.3.0-{M1, M2, RC1}

Spring Cloud Gateway Server MVC:

• 4.1.7 - 4.2.2, 4.3.0-{M1, M2, RC1}

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

NOTE: Older unsupported versions are also impacted, and should upgrade to a supported version.

The X-Forwarded-* and Forwarded header functionality will be disabled by default with the fix versions. If you require X-Forwarded-* or Forwarded header functionality, after upgrading you will need to do the following:

1. Set spring.cloud.gateway.trusted-proxies to a Java Regular Expression that specifies the proxies whose headers you trust. If you are using Spring Cloud Gateway Server MVC (only available from 4.1.x onward) set spring.cloud.gateway.mvc.trusted-proxies. For example for Spring Cloud Gateway Server:

spring.cloud.gateway.trusted-proxies=10\.0\.0\..*

For example for Spring Cloud Gateway Server MVC:

spring.cloud.gateway.mvc.trusted-proxies=10\.0\.0\..*

If you cannot upgrade, then you can:

1. Set spring.cloud.gateway.forwarded.enabled=false and spring.cloud.gateway.x-forwarded.enabled=false if you are using spring-cloud-starter-gateway or if you are using spring-cloud-starter-gateway-mvc (only available from 4.1.x onward) set spring.cloud.gateway.mvc.forwarded-request-headers-filter.enabled=false and spring.cloud.gateway.mvc.x-forwarded-request-headers-filter.enabled=false.

Credit

This vulnerability was discovered and responsibly reported by Vilius Šumskas.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N&version=3.1