Spring Cloud Config Server Vault Token Handling Vulnerability

A vulnerability exists in Spring Cloud Config Server versions 2.2.1.RELEASE through 4.2.1, where the server may not properly utilize Vault tokens sent by clients via the X-CONFIG-TOKEN header when making requests to Vault. This issue arises if Spring Vault is included in the classpath of the Config Server, the X-CONFIG-TOKEN header is used to transmit a Vault token, and the default SessionManager implementation, LifecycleAwareSessionManager, or a similar implementation that retains the Vault token, such as SimpleSessionManager, is in use. The SessionManager will save the first token it receives and continue to use it, disregarding any subsequent tokens provided in client requests.

Impact

Exploitation of this vulnerability can lead to incorrect Vault token management, potentially allowing unauthorized access to Vault secrets or resources.

Remediation

Users of affected versions should upgrade to Spring Cloud Config 4.2.2, 4.1.6, or 4.0.10, depending on their current version. Note that Spring Cloud Config 3.0.x and 2.2.x are no longer supported, and users should upgrade to a supported version. If an upgrade is not possible, remove Spring Vault from the classpath if it is not needed, or implement a custom SessionManager that does not persist the Vault token and provide a bean with that implementation in a @Configuration class.