CVE-2021-22047 Overview
CVE-2021-22047 is a broken access control vulnerability affecting VMware Spring Data REST. In vulnerable versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. This vulnerability allows attackers to potentially bypass access controls and access protected resources through unintended URI paths.
Critical Impact
Unauthorized access to protected REST API endpoints through alternative URI paths, potentially exposing sensitive data or functionality depending on application configuration.
Affected Products
- VMware Spring Data REST versions 3.4.0 - 3.4.13
- VMware Spring Data REST versions 3.5.0 - 3.5.5
- Older unsupported versions of Spring Data REST
Discovery Timeline
- 2021-10-28 - CVE-2021-22047 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22047
Vulnerability Analysis
This vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, CWE-668: Exposure of Resource to Wrong Sphere) occurs due to improper handling of request mapping in Spring Data REST when custom controllers are configured with a base API path and type-level request mappings. The framework inadvertently exposes these endpoints through additional URI paths that may not be protected by the same Spring Security rules applied to the intended endpoints.
The root issue lies in how Spring Data REST constructs and registers controller mappings. When developers configure a base API path (e.g., /api) and define type-level @RequestMapping annotations on custom controllers, the framework creates duplicate route registrations. These duplicate routes may fall outside the scope of security rules that administrators have defined for their intended API paths.
Root Cause
The vulnerability stems from improper URI path handling in Spring Data REST's controller registration mechanism. Custom controllers with type-level request mappings are registered under multiple URI patterns, and some of these patterns bypass the configured base API path structure. This architectural flaw means that security configurations targeting the base API path do not automatically cover all exposed endpoints.
Attack Vector
An attacker can exploit this vulnerability over the network without requiring authentication or user interaction. The attack involves discovering alternative URI paths that expose the same controller functionality but bypass security configurations. By making HTTP requests to these unprotected paths, an attacker can potentially access resources that should be restricted.
For example, if an application defines a custom controller at /api/secure/resource with Spring Security rules protecting /api/**, the vulnerability may expose the same resource at an alternative path like /secure/resource that falls outside the security configuration scope. The attacker simply needs to enumerate or discover these alternative paths and make direct requests to access protected functionality.
Detection Methods for CVE-2021-22047
Indicators of Compromise
- Unexpected HTTP requests to API endpoints outside the configured base API path
- Access logs showing successful requests to paths that should be protected but aren't covered by security rules
- Authentication bypass attempts targeting alternative URI patterns for REST controllers
Detection Strategies
- Review application access logs for requests to endpoints that mirror protected resources but use different URI paths
- Implement security auditing to detect access to REST controllers through unintended routes
- Configure alerting for HTTP 200 responses to paths that should require authentication but are being accessed anonymously
Monitoring Recommendations
- Enable detailed access logging for all REST API endpoints in the application
- Monitor for anomalous request patterns that target alternative URI paths not documented in the API specification
- Implement runtime application self-protection (RASP) to detect and block unauthorized API access attempts
How to Mitigate CVE-2021-22047
Immediate Actions Required
- Upgrade Spring Data REST to version 3.4.14 or later for the 3.4.x branch
- Upgrade Spring Data REST to version 3.5.6 or later for the 3.5.x branch
- Review and audit Spring Security configurations to ensure all exposed endpoints are properly protected
- Implement defense-in-depth by applying security rules at multiple levels (path-based and method-level security)
Patch Information
VMware has released patched versions of Spring Data REST that address this vulnerability. Users should upgrade to Spring Data REST 3.4.14+ or 3.5.6+ depending on their current version branch. Detailed patch information is available in the VMware Security Advisory.
Workarounds
- Apply method-level security annotations (@PreAuthorize, @Secured) directly on controller methods to ensure authorization is enforced regardless of the request path
- Review and tighten Spring Security configurations to use broader path patterns or implement security at the controller/method level rather than relying solely on URI path-based rules
- Implement a security filter that validates all incoming requests against a whitelist of allowed API paths
- Consider using Spring Security's antMatchers with catch-all patterns to ensure no unprotected endpoints exist
# Example Maven dependency update to patched version
# Update pom.xml with:
# <dependency>
# <groupId>org.springframework.data</groupId>
# <artifactId>spring-data-rest-webmvc</artifactId>
# <version>3.5.6</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
