Improper Neutralization Of HTTP Headers

2023-07-1807:16:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

http headers

spoofing

security mechanisms

reactive web stack

spring webflux

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

30.1%

JSON

Spring HATEOS is vulnerable to Improper Neutralization Of HTTP Headers. The vulnerability is due to not sanitizing or stripping the “Forwarded”, “X-Forwarded-Host”, “X-Forwarded-Port” or “X-Forwarded-Proto” headers. This can allow an attacker to spoof these headers values thereby bypassing security mechanisms meant to prevent illegitimate access. The application needs to use reactive web stack (Spring WebFlux) for this vulnerability to materialise.

CPENameOperatorVersion
spring hateoaseq2.1.0
spring hateoasle0.0.0.1.3.0-HATEOAS-1417-SNAPSHOT.1
spring hateoasle2.0.4
spring hateoasle1.5.4
spring hateoaseq2.1.0
spring hateoasle0.0.0.1.3.0-HATEOAS-1417-SNAPSHOT.1
spring hateoasle2.0.4
spring hateoasle1.5.4

Name	Operator	Version
spring hateoas	eq	2.1.0
spring hateoas	le	0.0.0.1.3.0-HATEOAS-1417-SNAPSHOT.1
spring hateoas	le	2.0.4
spring hateoas	le	1.5.4
spring hateoas	eq	2.1.0
spring hateoas	le	0.0.0.1.3.0-HATEOAS-1417-SNAPSHOT.1
spring hateoas	le	2.0.4
spring hateoas	le	1.5.4