{ "threat_severity" : "Important", "public_date" : "2025-04-28T07:10:35Z", "bugzilla" : { "description" : "org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed", "id" : "2362668", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2362668" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "draft" }, "cwe" : "CWE-20", "details" : [ "EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.\nYour application may be affected by this if all the following conditions are met:\n* You use Spring Security\n* EndpointRequest.to() has been used in a Spring Security chain configuration\n* The endpoint which EndpointRequest references is disabled or not exposed via web\n* Your application handles requests to /null and this path needs protection\nYou are not affected if any of the following is true:\n* You don't use Spring Security\n* You don't use EndpointRequest.to()\n* The endpoint which EndpointRequest.to() refers to is enabled and is exposed\n* Your application does not handle requests to /null or this path does not need protection", "A flaw was found in the Spring Boot configuration. This vulnerability allows unauthorised access to the /null/** path via misconfigured security matchers when referencing disabled or non-exposed Spring Boot actuator endpoints." ], "statement" : "Your application may be affected by this if all the following conditions are met:\n- You use Spring Security\n- EndpointRequest.to() has been used in a Spring Security chain configuration\n- The endpoint which EndpointRequest references is disabled or not exposed via web\n- Your application handles requests to /null and this path needs protection\nYou are not affected if any of the following is true:\n- You don't use Spring Security\n- You don't use EndpointRequest.to()\n- The endpoint which EndpointRequest.to() refers to is enabled and is exposed\n- Your application does not handle requests to /null or this path does not need protection", "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "spring-boot", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22235\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22235\nhttps://github.com/advisories/GHSA-rc42-6c7j-7h5r\nhttps://spring.io/security/cve-2025-22235" ], "name" : "CVE-2025-22235", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }