PT-2022-20886 · Spring · Spring Data Rest
白帽酱
·
Published
2022-09-21
·
Updated
2022-09-22
·
CVE-2022-31679
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Data REST versions 3.5.5 and earlier
Spring Data REST versions 3.6.0 through 3.6.6
Spring Data REST versions 3.7.0 through 3.7.2
Description
The issue allows attackers to expose hidden entity attributes by crafting HTTP requests, if they know the structure of the underlying domain model, in applications that allow HTTP PATCH access to resources exposed by Spring Data REST.
Recommendations
For versions 3.5.5 and earlier, update to a version that is not older than 3.5.5 to mitigate the risk.
For versions 3.6.0 through 3.6.6, update to a version later than 3.6.6 to resolve the issue.
For versions 3.7.0 through 3.7.2, update to a version later than 3.7.2 to resolve the issue.
As a temporary workaround, consider restricting HTTP PATCH access to resources exposed by Spring Data REST until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spring Data Rest