Description
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
Remediation
References
https://tanzu.vmware.com/security/cve-2021-22113
Related Vulnerabilities
CVE-2019-13173 Vulnerability in npm package fstream
CVE-2019-10375 Vulnerability in maven package hudson.plugins.filesystem_scm:filesystem_scm
CVE-2019-17556 Vulnerability in maven package org.apache.olingo:odata-client-proxy
CVE-2019-16569 Vulnerability in maven package org.jenkins-ci.plugins:mantis
CVE-2018-1000193 Vulnerability in maven package org.jenkins-ci.main:jenkins-core