VMware Spring Boot
Easy fix7 remedies
cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*
Easy fix7 remedies
- >= 2.7.0, <= 2.7.24.2
- >= 3.1.0, <= 3.1.15.2
- >= 3.2.0, <= 3.2.13.2
- >= 3.3.0, <= 3.3.10
- >= 3.4.0, <= 3.4.4
- ~2.7
- ~3.1
- ~3.2
- ~3.3
- ~3.4
NetApp Spring Boot Vulnerability in EndpointRequest Matcher Creation
Vulnerability
Patched
A vulnerability exists in multiple NetApp products that use Spring Boot, specifically in versions 2.7.0 through 2.7.24.2, 3.1.0 through 3.1.15.2, 3.2.0 through 3.2.13.2, 3.3.0 through 3.3.10, and 3.4.0 through 3.4.4. This vulnerability arises because the 'EndpointRequest.to()' method can create a matcher for 'null/**' when the referenced actuator endpoint is disabled or not exposed. Applications may be affected if they use Spring Security, have 'EndpointRequest.to()' in a Spring Security chain configuration, the referenced endpoint is disabled or not exposed, and the application handles requests to '/null' that require protection.
Impact
Exploitation of this vulnerability could lead to the application improperly handling requests to '/null', potentially allowing unprotected access to this path.
Remediation
Users can upgrade to Spring Boot versions 2.7.25, 3.1.16, 3.2.14, 3.3.11, or 3.4.5, depending on their current version. If an upgrade is not possible, ensure that the endpoint referenced by 'EndpointRequest.to()' is enabled and exposed, or that the application does not handle requests to '/null'.
Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
7.5exploitability
7.4remediation
7.9relevance
0.0threat
0.0urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.