GHSA-2r2v-q399-qq93

Source

https://github.com/advisories/GHSA-2r2v-q399-qq93

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-2r2v-q399-qq93/GHSA-2r2v-q399-qq93.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2r2v-q399-qq93

Aliases

CVE-2021-22051

Published

2021-11-10T19:45:02Z

Modified

2023-11-08T04:04:53.464497Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Request injection in Spring Cloud Gateway

Details

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.

Database specific

{
    "nvd_published_at": "2021-11-08T14:15:00Z",
    "github_reviewed_at": "2021-11-09T21:08:14Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352",
        "CWE-863"
    ]
}

References

Affected packages

Maven / org.springframework.cloud:spring-cloud-gateway

Package

Name: org.springframework.cloud:spring-cloud-gateway; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-gateway

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.5

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

Maven / org.springframework.cloud:spring-cloud-gateway

Package

Name: org.springframework.cloud:spring-cloud-gateway; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-gateway

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.10.RELEASE0.5

Affected versions

2.*

2.2.0.RELEASE

2.2.1.RELEASE

2.2.2.RELEASE

2.2.3.RELEASE

2.2.4.RELEASE

2.2.5.RELEASE

2.2.6.RELEASE

2.2.7.RELEASE

2.2.8.RELEASE

2.2.9.RELEASE

2.2.10.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 2.2.10.RELEASE"
}