CVE-2022-31679

Summary

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

Affected Software

VendorProductVersion RangeStatus
n/aSpring Data RESTSpring Data REST Versions before 3.6.7 and 3.7.3affected

Weaknesses

  • Potential Unintended Data Exposure for Resource Exposed

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References