Lucene search

VmwareCVELIST:CVE-2021-22047

HistoryOct 28, 2021 - 3:21 p.m.

CVE-2021-22047

2021-10-2815:21:26

CWE-200

vmware

www.cve.org

spring data rest

http resources

custom controllers

uri exposure

unauthorized access

spring security

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

36.2%

JSON

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

CNA Affected

[
  {
    "product": "Spring Data REST",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Spring Data REST versions 3.4.x  prior to 3.4.14+ ,3.5.x prior to 3.5.6+ and old unsupported versions"
      }
    ]
  }
]

References

tanzu.vmware.com/security/cve-2021-22047