CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vmwareCNA
---
---
CVEADP
---
---
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
vmwarespring_data_rest
3.6.0 ≤
𝑥
< 3.6.7
vmwarespring_data_rest
3.7.0 ≤
𝑥
< 3.7.3
𝑥
= Vulnerable software versions
References
https://tanzu.vmware.com/security/cve-2022-31679
https://tanzu.vmware.com/security/cve-2022-31679