Incorrect Authorization in Spring Cloud Netflix Zuul
Moderate severity
GitHub Reviewed
Published
May 10, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
< 2.2.7
Patched versions
2.2.7
Description
Published by the National Vulnerability Database
Feb 23, 2021
Reviewed
May 7, 2021
Published to the GitHub Advisory Database
May 10, 2021
Last updated
Feb 1, 2023
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
References