Lucene search

K
githubGitHub Advisory DatabaseGHSA-VWPG-F6GW-RJVF
HistoryMay 10, 2021 - 3:18 p.m.

Incorrect Authorization in Spring Cloud Netflix Zuul

2021-05-1015:18:50
CWE-863
GitHub Advisory Database
github.com
41
spring cloud netflix zuul
vulnerability
sensitive headers
bypassing
spring security
stricthttpfirewall
urls

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security’s StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Affected configurations

Vulners
Node
vmwarespring_cloud_netflix_zuulRange<2.2.7
VendorProductVersionCPE
vmwarespring_cloud_netflix_zuul*cpe:2.3:a:vmware:spring_cloud_netflix_zuul:*:*:*:*:*:*:*:*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

Related for GHSA-VWPG-F6GW-RJVF