CVE-2021-22047

Summary

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

Affected Software

VendorProductVersion RangeStatus
n/aSpring Data RESTSpring Data REST versions 3.4.x prior to 3.4.14+ ,3.5.x prior to 3.5.6+ and old unsupported versionsaffected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

References