CVE-2021-22047

Vulnerability

In Spring Data REST versions 3.4.0 to 3.4.13, 3.5.0 to 3.5.5, and older unsupported versions, custom Spring MVC controllers that use a type-level @RequestMapping annotation and are registered under a configured non-empty base API path are additionally exposed under URIs that lack the base path prefix. This occurs because the framework automatically creates alternate URL mappings. The vulnerability requires all of the following conditions: the project uses a vulnerable version of Spring Data REST, a non-empty base path is configured, a custom controller with a type-level @RequestMapping is registered within the Spring Data REST URI space, and Spring Security is applied only to the base-prefixed paths while leaving the non-prefixed URIs unprotected [1][2].

Exploitation

An attacker does not need authentication if the unprotected URIs are publicly accessible. The attacker must send HTTP requests to the alternative paths that are not prefixed with the configured base API path. The Spring Security configuration must have been applied only to the base-prefixed paths, leaving the alternative mappings unsecured. No user interaction is required beyond the attacker making the request [2].

Impact

Successful exploitation allows an attacker to access HTTP resources implemented by the custom controller without proper authorization. This can lead to unauthorized information disclosure or data modification, depending on the controller's functionality. The impact is limited by the requirement that the Spring Security configuration explicitly misses covering the alternative URIs [2].

Mitigation

Users of affected versions should upgrade to Spring Data REST 3.4.14+ (included in Spring Boot 2.4.12+) or 3.5.6+ (included in Spring Boot 2.5.6+). No other steps are necessary. Projects that cannot upgrade immediately should review their Spring Security configuration to ensure that all paths, including those without the base path prefix, are appropriately secured [2].