CVE-2021-22113
Incorrect Authorization in Spring Cloud Netflix Zuul
EPSS 0.22%
Description
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
How to fix CVE-2021-22113
To remediate CVE-2021-22113, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.7 or later
Is CVE-2021-22113 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.2.7