CVE-2022-31679

EUVD-2022-6811
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
Affected Products (NVD)
VendorProductVersion
vmwarespring_data_rest
3.6.0 ≤
𝑥
< 3.6.7
vmwarespring_data_rest
3.7.0 ≤
𝑥
< 3.7.3
𝑥
= Vulnerable software versions
References
https://tanzu.vmware.com/security/cve-2022-31679
https://tanzu.vmware.com/security/cve-2022-31679