Lucene search

[email protected]CVE-2021-22047

HistoryOct 28, 2021 - 4:15 p.m.

CVE-2021-22047

2021-10-2816:15:07

CWE-668

CWE-200

[email protected]

web.nvd.nist.gov

cve-2021-22047

spring data rest

http resources

unauthorized access

spring security configuration

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

31.6%

JSON

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

Affected configurations

NVD

Node

vmwarespring_data_restRange3.4.0–3.4.13

vmwarespring_data_restRange3.5.0–3.5.5

CPENameOperatorVersion
vmware:spring_data_restvmware spring data restle3.4.13
vmware:spring_data_restvmware spring data restle3.5.5

CPE	Name	Operator	Version
vmware:spring_data_rest	vmware spring data rest	le	3.4.13
vmware:spring_data_rest	vmware spring data rest	le	3.5.5

CNA Affected

[
  {
    "product": "Spring Data REST",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Spring Data REST versions 3.4.x  prior to 3.4.14+ ,3.5.x prior to 3.5.6+ and old unsupported versions"
      }
    ]
  }
]