CVE-2025-22235

216.73.216.6

· Published 28/04/2025 08:15 · Modified 28/04/2025 08:15

Labels: CVE-2025-22235 2025-04-28 CVE-2025-22235 CWE-20 [email protected]

Essential information

Published: 28/04/2025 08:15
Modified: 28/04/2025 08:15
Author: —
Creator: —
CVSS: 7.3 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS metrics

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
spring / spring security	`cpe:2.3:a:spring:spring_security::::::::`