CVE-2021-22051

CWE-863 — Incorrect Authorization CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 66.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Cloud Gateway

Timeline

PublishedNov 8

Latest updateNov 10

Description

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDvmware/spring_cloud_gateway3.0.0 — 3.0.5+1

▶Mavenorg.springframework.cloud:spring-cloud-gateway3.0.0 — 3.0.5+1

▶CVEListV5spring_cloud_gateway3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older versions

🔴Vulnerability Details

GHSA

Request injection in Spring Cloud Gateway↗2021-11-10

▶

OSV

Request injection in Spring Cloud Gateway↗2021-11-10

▶

CVEList

CVE-2021-22051: Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services↗2021-11-08

▶