Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
[
{
"product": "Spring Data REST",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Data REST Versions before 3.6.7 and 3.7.3"
}
]
}
]