Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux
Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Description: CWE-524: Use of Cache-Containing Sensitive Information to Aid in Security Bypass
Metrics
Version
Base score
Base severity
Vector
3.1
5.9
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Version:3.1
Base score:5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC ID
Description
N/A
An attacker can access a protected static resource by exploiting a shared resource cache that first resolved and cached a publicly available resource with the same name, bypassing authentication controls.
CAPEC ID: N/A
Description: An attacker can access a protected static resource by exploiting a shared resource cache that first resolved and cached a publicly available resource with the same name, bypassing authentication controls.