CVE-2022-31679

2022-09-2118:15:10

vmware

web.nvd.nist.gov

cve-2022-31679

nvd

http patch

spring data rest

security vulnerability

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

42.1%

JSON

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

Affected configurations

Nvd

Node

vmwarespring_data_restRange3.6.0–3.6.7

vmwarespring_data_restRange3.7.0–3.7.3

VendorProductVersionCPE
vmwarespring_data_rest*cpe:2.3:a:vmware:spring_data_rest:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	spring_data_rest	*	cpe:2.3:a:vmware:spring_data_rest::::::::

CNA Affected

[
  {
    "product": "Spring Data REST",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Spring Data REST Versions before 3.6.7 and 3.7.3"
      }
    ]
  }
]