CVE-2022-31679 Overview
CVE-2022-31679 is an information disclosure vulnerability affecting VMware Spring Data REST. Applications that allow HTTP PATCH access to resources exposed by Spring Data REST are vulnerable when an attacker has knowledge of the structure of the underlying domain model. By crafting specific HTTP requests, an attacker can expose hidden entity attributes that should not be accessible through the API.
Critical Impact
Attackers with knowledge of the domain model structure can bypass access controls to expose sensitive hidden entity attributes through crafted HTTP PATCH requests.
Affected Products
- VMware Spring Data REST versions 3.6.0 - 3.5.5
- VMware Spring Data REST versions 3.7.0 - 3.7.2
- Older unsupported versions of VMware Spring Data REST
Discovery Timeline
- 2022-09-21 - CVE CVE-2022-31679 published to NVD
- 2025-05-22 - Last updated in NVD database
Technical Details for CVE-2022-31679
Vulnerability Analysis
This vulnerability represents an information exposure flaw in VMware Spring Data REST's handling of HTTP PATCH requests. Spring Data REST provides a mechanism to expose JPA repositories as RESTful endpoints automatically. The vulnerability exists in how the framework processes PATCH requests against these exposed resources.
When domain models contain hidden or internal attributes that are not intended to be exposed through the REST API, the PATCH request handling logic fails to properly enforce access restrictions on these attributes. An attacker who understands or can deduce the structure of the underlying domain model can craft HTTP PATCH requests that reference these hidden attributes, causing the application to inadvertently expose their values.
The attack requires network access and knowledge of the target application's domain model structure. While this prerequisite raises the complexity of exploitation, it does not require authentication, meaning any network-accessible attacker could potentially exploit this vulnerability if they can determine the domain model structure through reconnaissance or documentation leaks.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and access control enforcement within the HTTP PATCH request handler in Spring Data REST. The framework does not adequately verify that requested entity attributes are permitted for access through the REST interface before processing PATCH operations. This allows crafted requests to bypass the intended access restrictions on hidden domain model attributes.
Attack Vector
The attack is conducted over the network via HTTP PATCH requests to Spring Data REST endpoints. An attacker must first obtain knowledge of the target application's domain model structure, which may be achieved through application documentation, error messages, or other reconnaissance techniques. Once the domain structure is understood, the attacker constructs HTTP PATCH requests that specifically reference hidden entity attributes.
The vulnerability manifests in the PATCH request processing logic where entity attribute access controls are not properly enforced. An attacker sends specially crafted HTTP PATCH requests to REST endpoints that expose Spring Data repositories. By including references to hidden attributes in the patch document, the attacker can trigger the application to reveal attribute values that should remain concealed. Detailed technical information can be found in the VMware Security Advisory CVE-2022-31679.
Detection Methods for CVE-2022-31679
Indicators of Compromise
- Unusual HTTP PATCH requests targeting Spring Data REST endpoints with uncommon or internal attribute names
- Increased volume of PATCH requests from single sources attempting to enumerate domain model attributes
- Application logs showing access attempts to attributes not normally exposed through the REST API
Detection Strategies
- Monitor HTTP PATCH request patterns for attempts to access non-standard entity attributes
- Implement application-level logging for REST endpoint access with attribute-level auditing
- Deploy web application firewall (WAF) rules to detect and block anomalous PATCH request payloads
- Review application logs for error messages that may indicate attribute enumeration attempts
Monitoring Recommendations
- Enable verbose logging for Spring Data REST endpoints to capture full request details
- Set up alerting for PATCH requests containing unusual attribute references
- Monitor for reconnaissance patterns such as sequential attribute probing attempts
- Implement rate limiting on PATCH endpoints to slow down enumeration attacks
How to Mitigate CVE-2022-31679
Immediate Actions Required
- Upgrade VMware Spring Data REST to a patched version as specified in the vendor advisory
- Review and restrict HTTP PATCH access to Spring Data REST endpoints where possible
- Implement additional access controls at the application layer to validate attribute access
- Audit existing domain models for sensitive hidden attributes that could be exposed
Patch Information
VMware has released security patches addressing this vulnerability. Administrators should consult the VMware Security Advisory CVE-2022-31679 for specific version upgrade paths and patch details. It is recommended to upgrade from affected versions 3.6.0 - 3.5.5 and 3.7.0 - 3.7.2 to the latest patched releases.
Workarounds
- Disable HTTP PATCH method access to Spring Data REST endpoints if not required by the application
- Implement custom request interceptors to validate and filter PATCH request payloads before processing
- Use Spring Security or similar frameworks to add explicit attribute-level access controls
- Consider using projections to explicitly control which attributes are exposed via REST endpoints
# Example: Disable PATCH method in Spring Security configuration
# Add to your security configuration to restrict PATCH access
# http.authorizeRequests()
# .antMatchers(HttpMethod.PATCH, "/api/**").denyAll()
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
