Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN259

_____________________________________________________________________

DATE                : 28/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Boot versions prior to
                         2.7.25, 3.1.16, 3.2.14, 3.3.11, 3.4.5.

=====================================================================
https://spring.io/security/cve-2025-22235/
_____________________________________________________________________

CVE-2025-22235: Spring Boot EndpointRequest.to() creates wrong
matcher if actuator endpoint is not exposed
MEDIUM | APRIL 24, 2025 | CVE-2025-22235
Description

EndpointRequest.to() creates a matcher for null/** if the actuator
endpoint, for which the EndpointRequest has been created, is disabled
or not exposed.

Your application may be affected by this if all the following
conditions are met:

    You use Spring Security
    EndpointRequest.to() has been used in a Spring Security chain
configuration
    The endpoint which EndpointRequest references is disabled or not
exposed via web
    Your application handles requests to /null and this path needs
protection

You are not affected if any of the following is true:

    You don't use Spring Security
    You don't use EndpointRequest.to()
    The endpoint which EndpointRequest.to() refers to is enabled and
is exposed
    Your application does not handle requests to /null or this path
does not need protection


Affected Spring Products and Versions

Spring Boot:

    2.7.0 - 2.7.24.2
    3.1.0 - 3.1.15.2
    3.2.0 - 3.2.13.2
    3.3.0 - 3.3.10
    3.4.0 - 3.4.4
    Older, unsupported versions are also affected


Mitigation

Users of affected versions should upgrade to the corresponding
fixed version.


Affected version(s)         Fix version         Availability
2.7.x         2.7.25         Enterprise Support Only
3.1.x         3.1.16         Enterprise Support Only
3.2.x         3.2.14         Enterprise Support Only
3.3.x         3.3.11         OSS
3.4.x         3.4.5         OSS

If you cannot upgrade, then you can either:

    Make sure that the endpoint to which EndpointRequest.to() is
referring to is enabled and exposed via web
    Make sure that you don't handle requests to /null


Credit

This vulnerability was discovered and responsibly reported by Janek
Bettinger ([email protected]).


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C&version=3.1


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================