GHSA-vwpg-f6gw-rjvf

Suggest an improvement
Source
https://github.com/advisories/GHSA-vwpg-f6gw-rjvf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-vwpg-f6gw-rjvf/GHSA-vwpg-f6gw-rjvf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vwpg-f6gw-rjvf
Aliases
  • CVE-2021-22113
Published
2021-05-10T15:18:50Z
Modified
2024-12-02T05:42:35.143690Z
Summary
Incorrect Authorization in Spring Cloud Netflix Zuul
Details

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.

Database specific 
{
    "nvd_published_at": "2021-02-23T17:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T18:52:54Z"
}
References

Affected packages

Maven / org.springframework.cloud:spring-cloud-netflix-zuul

Package

Name
org.springframework.cloud:spring-cloud-netflix-zuul
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-netflix-zuul

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.7

Affected versions

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.1.0.RELEASE
2.1.1.RELEASE
2.1.2.RELEASE
2.1.3.RELEASE
2.1.4.RELEASE
2.1.5.RELEASE
2.1.6.RELEASE
2.2.0.RELEASE
2.2.1.RELEASE
2.2.2.RELEASE
2.2.3.RELEASE
2.2.4.RELEASE
2.2.5.RELEASE
2.2.6.RELEASE