Description

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

Workarounds: If the resources exposed by Spring Data REST do not need to support HTTP PATCH requests, you can disable that support as described here. Applications that have generally disabled HTTP PATCH support, either through the corresponding configuration of Spring Data REST, Spring Boot or through their runtime infrastructure, are not affected, either.

Affected Spring Products and Versions

• Spring Data REST
  • 3.6.0 to 3.6.6
  • 3.7.0 to 3.7.2
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 3.6.x users should upgrade to 3.6.7+ (included in Spring Boot 2.6.12+). 3.7.x users should upgrade to 3.7.3+ (included in Spring Boot 2.7.4+). No other steps are necessary. Releases that have fixed this issue include:

• Spring Data REST
  • 3.6.7+
  • 3.7.3+

Credit

This vulnerability was initially discovered and responsibly reported by 白帽酱 @burpheart.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N&version=3.1

History

• 2022-09-19: Initial vulnerability report published.