2.2.6

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

vmware

CWE-863

NVD

Published: 2021-02-23

Updated: 2021-03-02

Summary

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Spring Cloud Netflix Zuul 2.2.4 Vmware Spring Cloud Netflix Zuul 2.2.5 Vmware Spring Cloud Netflix Zuul 2.2.6	3

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://tanzu.vmware.com/security/cve-2021-22113