Spring Security HTTP Response Header Handling Vulnerability

A vulnerability exists in Spring Security that can prevent HTTP response headers from being properly written in servlet applications. This issue affects Spring Security versions 5.7.0 prior to 5.7.21, 5.8.0 prior to 5.8.23, 6.3.0 prior to 6.3.14, 6.4.0 prior to 6.4.14, 6.5.0 prior to 6.5.8, and 7.0.0 prior to 7.0.3. Older, unsupported versions may also be affected. The failure to write these headers can expose applications to various attacks, including the unintended disclosure of sensitive information through caching mechanisms.

Impact

The vulnerability could lead to HTTP response headers not being written, potentially allowing sensitive data to be exposed via caching mechanisms.

Remediation

Users of affected versions should upgrade to the fixed version. The following upgrade paths are available: 5.7.21 to 5.7.22, 5.8.23 to 5.8.24, 6.3.14 to 6.3.15, 6.4.14 to 6.4.15, 6.5.8 to 6.5.9, and 7.0.3 to 7.0.4. Versions 5.7.22, 5.8.24, 6.3.15, 6.4.15, and 7.0.4 are available as part of the Spring Enterprise support, while 6.5.9 is available as open-source.