21 matches found
Spring Cloud Gateway Server Webflux - Broken Access Control
Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure. id: CVE-2025-41243 info: name:...
CVE-2026-50201
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to...
CVE-2026-50201
CVE-2026-50201: Steeltoe's sensitive actuators (heapdump, environment, thread dump) default to EndpointPermissions.Restricted in Steeltoe.Management.Endpoint (pre-4.2.0) and Steeltoe.Management.EndpointCore (pre-3.4.0), mapping to CF read_basic_data. Sensitive endpoints are not upgraded to Endpoi...
EUVD-2026-13349
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...
CVE-2026-22733
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...
CVE-2025-41253
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
EUVD-2025-34761
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection...
GHSA-FWXX-WV44-7QFG Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
CVE-2025-41253
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
CVE-2025-41253 Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
CVE-2025-41253 Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...
Remote Code Execution
org.springframework.cloud, spring-cloud-gateway-server is vulnerable to Remote Code Execution. The vulnerability is due to exposed actuator endpoints evaluating user-controlled input via the GatewayEvaluationContext, allowing attackers to modify Spring Environment properties when the actuator...
CVE-2025-41243 Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server Webflux Spring Cloud Gateway Server WebMVC is not vulnerable...
CVE-2025-41243 Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server Webflux Spring Cloud Gateway Server WebMVC is not vulnerable...
Exploit for Code Injection in Vmware Spring_Cloud_Gateway
CVE-2022-22947 Spring Cloud Gateway Vulnerability Demonstratio...
Missing Authorization
org.springframework.boot is vulnerable to Missing Authorization. The vulnerability is due to incorrect request matching caused by EndpointRequest.to creating a matcher for null/ when the targeted actuator endpoint is disabled or not exposed, which allows unprotected access to the /null path...
CVE-2022-23726
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...
CVE-2022-23726
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...
PT-2022-16230 · Unknown · Spring Boot +1
Name of the Vulnerable Software and Affected Versions: PingCentral versions prior to listed versions Description: The issue exposes Spring Boot actuator endpoints, which can return large amounts of sensitive environmental and application information when accessed with administrative authenticatio...