CVE-2023-34036: Spring HATEOAS Information Disclosure Flaw

CVE-2023-34036 Overview

CVE-2023-34036 is a vulnerability affecting reactive web applications using Spring HATEOAS to produce hypermedia-based responses. The flaw exposes applications to malicious forwarded headers when they are not deployed behind a trusted proxy that validates such headers, or when they lack proper mechanisms to handle and discard forwarded headers at either the WebFlux layer or the underlying HTTP server level.

For applications to be vulnerable, they must satisfy specific conditions: they need to use the reactive web stack (Spring WebFlux) combined with Spring HATEOAS to create links in hypermedia-based responses, and the application infrastructure must not guard against clients submitting X-Forwarded-* headers.

Critical Impact

Attackers can manipulate forwarded headers to influence hypermedia link generation, potentially leading to link manipulation, URL poisoning, and phishing attacks through crafted responses.

Affected Products

• VMware Spring HATEOAS versions prior to 1.5.5
• VMware Spring HATEOAS versions 2.0.x prior to 2.0.5
• VMware Spring HATEOAS version 2.1.0 (including milestone1 and rc1)

Discovery Timeline

• 2023-07-17 - CVE-2023-34036 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-34036

Vulnerability Analysis

This vulnerability stems from improper handling of HTTP forwarded headers in Spring HATEOAS when used with Spring WebFlux's reactive web stack. The weakness relates to CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax) and CWE-116 (Improper Encoding or Escaping of Output).

When Spring HATEOAS generates hypermedia links in responses, it relies on request context to construct absolute URLs. In reactive applications using WebFlux, if forwarded headers such as X-Forwarded-Host, X-Forwarded-Proto, or X-Forwarded-Port are not properly validated or filtered, an attacker can inject malicious values. These injected values are then incorporated into the generated hypermedia links, causing the application to produce responses containing attacker-controlled URLs.

Root Cause

The root cause lies in the trust placed on client-supplied forwarded headers without proper validation. Spring HATEOAS's link building mechanism in reactive contexts consumes these headers to determine the base URL for hypermedia links. When the application is not protected by a reverse proxy that sanitizes these headers, or lacks explicit configuration to discard untrusted headers, the attacker-supplied values flow directly into the response generation logic.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can craft HTTP requests with malicious forwarded headers targeting vulnerable Spring WebFlux applications using Spring HATEOAS. The attack flow involves:

1. The attacker sends a request with manipulated X-Forwarded-Host or similar headers to the target application
2. Spring HATEOAS processes the request and uses the forwarded header values to construct hypermedia links
3. The generated response contains links pointing to attacker-controlled domains
4. Legitimate users consuming the API may follow these malicious links, potentially leading to credential theft or further exploitation

The vulnerability has a network attack vector with low complexity, requiring no privileges or user interaction, but with integrity impact limited to the manipulation of generated links.

Detection Methods for CVE-2023-34036

Indicators of Compromise

• Unusual or unexpected values in X-Forwarded-Host, X-Forwarded-Proto, or X-Forwarded-Port headers in application logs
• Generated hypermedia links in API responses pointing to external or unexpected domains
• HTTP requests containing forwarded headers from sources outside trusted proxy infrastructure

Detection Strategies

• Implement logging and monitoring for all incoming forwarded headers at the application or proxy level
• Deploy web application firewall (WAF) rules to detect and alert on suspicious forwarded header patterns
• Review application logs for hypermedia responses containing unexpected base URLs

Monitoring Recommendations

• Enable detailed access logging on reverse proxies and load balancers to capture all forwarded header values
• Configure alerting for requests containing forwarded headers from untrusted client IP addresses
• Monitor outbound link patterns in API responses for anomalies indicating header manipulation

How to Mitigate CVE-2023-34036

Immediate Actions Required

• Upgrade Spring HATEOAS to version 1.5.5, 2.0.5, or 2.1.1 or later depending on your current version branch
• Ensure all Spring WebFlux applications using HATEOAS are deployed behind a trusted reverse proxy that sanitizes forwarded headers
• Review and configure ForwardedHeaderTransformer in WebFlux to explicitly handle or discard untrusted forwarded headers

Patch Information

VMware has released patched versions of Spring HATEOAS that address this vulnerability. Refer to the Spring Security Advisory for CVE-2023-34036 for detailed upgrade instructions and release notes. Organizations should upgrade to the following fixed versions:

• Version 1.5.5 for the 1.5.x branch
• Version 2.0.5 for the 2.0.x branch
• Version 2.1.1 or later for the 2.1.x branch

Workarounds

• Deploy a reverse proxy (such as nginx, Apache, or a cloud load balancer) in front of the application that strips or validates forwarded headers before they reach the application
• Configure the ForwardedHeaderTransformer bean in Spring WebFlux to remove forwarded headers from untrusted sources
• Implement custom request filtering to validate and sanitize X-Forwarded-* headers based on expected proxy behavior

# Example nginx configuration to sanitize forwarded headers
# Add to your server block to control forwarded header propagation
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;