CVE-2025-22232

Опубликовано: 10 апр. 2025

Источник: redhat

CVSS3: 5.3

EPSS Низкий

Описание

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true:

You have Spring Vault on the classpath of your Spring Cloud Config Server and
You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and
You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager. In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config:
2.2.1.RELEASE - 4.2.1 Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version. No other mitigation steps are necessary.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
A-MQ Clients 2	spring-cloud-config-server	Fix deferred
Red Hat Enterprise Linux 8	log4j:2/log4j	Fix deferred
Red Hat Enterprise Linux 9	log4j	Fix deferred
Red Hat JBoss Enterprise Application Platform 7	spring-cloud-config-server	Fix deferred
Red Hat JBoss Enterprise Application Platform 8	spring-cloud-config-server	Fix deferred
Red Hat JBoss Enterprise Application Platform Expansion Pack	spring-cloud-config-server	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-287

https://bugzilla.redhat.com/show_bug.cgi?id=2358900spring-cloud-config-server: Spring Cloud Config Server May Not Use Vault Token Sent By Clients

EPSS

Процентиль: 18%

0.00057

Низкий

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2025-22232

CVSS3: 5.3

nvd

9 месяцев назад

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager. In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1 Mitigation Users of affected versions shoul

GHSA-qpfh-2wpm-c362

CVSS3: 5.3

github

9 месяцев назад

EPSS

Процентиль: 18%

0.00057

Низкий

5.3 Medium

CVSS3