Unintended Proxy or Intermediary ('Confused Deputy') Affecting org.springframework.cloud:spring-cloud-gateway-server package, versions [,3.1.10)[4.0.0,4.1.8)[4.2.0,4.2.3)

Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') due to the improper validation of X-Forwarded-For and Forwarded headers forwarded from untrusted proxies. An attacker can manipulate the server's behavior by sending crafted headers from an untrusted proxy.

Notes:

1. The vulnerability was also fixed in version 4.0.12, a commercial version;

2. The X-Forwarded-* and Forwarded header functionality will be disabled by default with the fix versions. If you require X-Forwarded-* or Forwarded header functionality, after upgrading you will need to set spring.cloud.gateway.trusted-proxies to a Java Regular Expression that specifies the proxies whose headers you trust. If you are using Spring Cloud Gateway Server MVC (only available from 4.1.x onward) set spring.cloud.gateway.mvc.trusted-proxies.

This can be mitigated by setting spring.cloud.gateway.forwarded.enabled=false and spring.cloud.gateway.x-forwarded.enabled=false if you are using spring-cloud-starter-gateway or if you are using spring-cloud-starter-gateway-mvc (only available from 4.1.x onward) by setting spring.cloud.gateway.mvc.forwarded-request-headers-filter.enabled=false and spring.cloud.gateway.mvc.x-forwarded-request-headers-filter.enabled=false.

• GitHub Commit
• Spring Security Advisory