Homepage

org.springframework.cloud:spring-cloud-gateway-server-mvc@4.1.0 vulnerabilities

  • latest version

    4.3.0

  • latest non vulnerable version

    4.3.0

  • first published

    1 years ago

  • latest version published

    8 days ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.springframework.cloud:spring-cloud-gateway-server-mvc package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Unintended Proxy or Intermediary ('Confused Deputy')

    Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') due to the improper validation of X-Forwarded-For and Forwarded headers forwarded from untrusted proxies. An attacker can manipulate the server's behavior by sending crafted headers from an untrusted proxy.

    Notes:

    1. The vulnerability was also fixed in version 4.0.12, a commercial version;

    2. The X-Forwarded-* and Forwarded header functionality will be disabled by default with the fix versions. If you require X-Forwarded-* or Forwarded header functionality, after upgrading you will need to set spring.cloud.gateway.trusted-proxies to a Java Regular Expression that specifies the proxies whose headers you trust. If you are using Spring Cloud Gateway Server MVC (only available from 4.1.x onward) set spring.cloud.gateway.mvc.trusted-proxies.

    How to fix Unintended Proxy or Intermediary ('Confused Deputy')?

    Upgrade org.springframework.cloud:spring-cloud-gateway-server-mvc to version 4.1.8, 4.2.3 or higher.

    [,4.1.8)[4.2.0,4.2.3)
    Go back to all versions of this package