Request injection in Spring Cloud Gateway

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

GHSA-2R2V-Q399-QQ93 Request injection in Spring Cloud Gateway

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

CVE-2021-22051

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

CVE-2021-22051

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

Cross site request forgery (csrf)

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

CVE-2021-22051

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or...

CVE-2021-22051

Spring Cloud Gateway is affected by CVE-2021-22051, where specially crafted requests could trigger an additional downstream request. The issue affects 3.0.x and 2.2.x releases; mitigation specifies upgrading to 3.0.5+ or 2.2.10.RELEASE+ (for affected versions). Remediation guidance explicitly rec...

Spring Cloud Gateway 安全漏洞

Spring Cloud Gateway is provides a library for building API gateways on top of Spring WebFlux. A security vulnerability exists in Spring Cloud Gateway that stems from the vulnerability of applications using SpringCloudGateway to carefully crafted requests that may make additional requests to...

Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass Vulnerability

Product: Pentaho Business Analytics / Pentaho Business Server Vendor / Manufacturer: Hitachi Vantara Affected Versions: sec:intercept-url pattern="\A/api/.\Z" access="Authent...

Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass

Product: Pentaho Business Analytics / Pentaho Business Server Vendor / Manufacturer: Hitachi Vantara Affected Versions: sec:intercept-url pattern="\A/api/.require-js-cfg.js.\Z" access="Anonymous,...

Hitachi Vantara Pentaho 授权问题漏洞

Hitachi Pentaho is a service from Hitachi Japan for storing and managing data in a Big Data environment. An authorization issue vulnerability exists in Hitachi Vantara Pentaho that stems from an issue discovered in Hitachi Vantara Pentaho via 9.1 and Pentaho Business Intelligence Server via 7.x...

ai.databand.azkaban:azkaban-web-server (=3.18.0), be.mogo.iam:mogo-provisioning (>=1.0.1.RELEASE <=1.1.7.RELEASE) +1350 more potentially affected by CVE-2021-41973 via org.apache.mina:mina-core (>=1.0.0 <=2.0.21)

org.apache.mina:mina-core MAVEN version =1.0.0, =1.0.1.RELEASE, =1.1.8.RELEASE, =1.1.5.RELEASE, =2.7.4.0, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.0.2.RELEASE, =1.0.3.RELEASE - cn.javaboot:nacos-address =1.4.1 - cn.javaboot:nacos-console =1.4.1 - cn.javaboot:nacos-distribution =1.4.1 -...

Log Injection

Spring Framework is vulnerable to privilege escalation. The vulnerability exists due to lack of secure validations of user input which allows a malicious user to inject additional log files...

Security Restriction Bypass

spring-boot-actuator is vulnerable to security restriction bypass. Lack of secure handling of HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping causes the exposure of those resources and request mapping, leading to...

Involuntary Endpoint Exposure

org.springframework.cloud, spring-cloud-openfeign-core is vulnerable to involuntary endpoint exposure. An attacker is able to listen to requests from the corresponding server-side endpoint, when @RequestMapping annotation is used over feign client interfaces...

Denial Of Service (DoS)

spring-amqp is vulnerable to denial of service. An attacker can cause an application crash through the message.toString function as it deserialize the body for a message with content-type application/x-java-serialized-object by constructing a malicious java.util.Dictionary object...

CVE-2021-22097

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

CVE-2021-22097

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22044

In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods...