cvelistv5 - cve-2025-22232

CVE-2025-22232 (GCVE-0-2025-22232)

Vulnerability from cvelistv5

Published

2025-04-10 17:26

Modified

2025-04-10 18:08

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-287 - Improper Authentication

Summary

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager. In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1 Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version. No other mitigation steps are necessary.

References

►

URL

Tags

security@vmware.com

https://spring.io/security/cve-2025-22232

Impacted products

	Vendor	Product	Version
	Spring	Spring Cloud Config	Version: 4.2.x < 4.2.2 Version: 4.1.x < 4.1.6 Version: 4.0.x < 4.0.10 Version: 3.1.x < 3.1.10 Version: 3.0.x < 4.1.6 Version: 2.2.x < 4.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22232",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T18:08:12.310467Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-10T18:08:28.560Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Cloud Config",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "4.2.2",
              "status": "affected",
              "version": "4.2.x",
              "versionType": "custom"
            },
            {
              "lessThan": "4.1.6",
              "status": "affected",
              "version": "4.1.x",
              "versionType": "custom"
            },
            {
              "lessThan": "4.0.10",
              "status": "affected",
              "version": "4.0.x",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.10",
              "status": "affected",
              "version": "3.1.x",
              "versionType": "custom"
            },
            {
              "lessThan": "4.1.6",
              "status": "affected",
              "version": "3.0.x",
              "versionType": "custom"
            },
            {
              "lessThan": "4.1.6",
              "status": "affected",
              "version": "2.2.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-04-07T16:40:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spring Cloud Config Server may not use Vault token sent by clients using a \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header when making requests to Vault.\u003cbr\u003eYour application may be affected by this if the following are true:\u003cbr\u003e\u003col\u003e\u003cli\u003eYou have Spring Vault on the classpath of your Spring Cloud Config Server and\u003c/li\u003e\u003cli\u003eYou are using the \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\u003c/li\u003e\u003cli\u003eYou are using the default Spring Vault \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;implementation \u003ccode\u003eLifecycleAwareSessionManager\u003c/code\u003e\u0026nbsp;or a \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;implementation that persists the Vault token such as \u003ccode\u003eSimpleSessionManager\u003c/code\u003e.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003eIn this case the \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header with a different value.\u003cbr\u003eAffected Spring Products and Versions\u003cbr\u003eSpring Cloud Config:\u003cbr\u003e\u003cul\u003e\u003cli\u003e2.2.1.RELEASE - 4.2.1\u003c/li\u003e\u003c/ul\u003eMitigation\u003cbr\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected version(s)\u003c/th\u003e\u003cth\u003eFix version\u003c/th\u003e\u003cth\u003eAvailability\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e4.2.x\u003c/td\u003e\u003ctd\u003e4.2.2\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e4.1.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e4.0.x\u003c/td\u003e\u003ctd\u003e4.0.10\u003c/td\u003e\u003ctd\u003eCommercial\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e3.1.x\u003c/td\u003e\u003ctd\u003e3.1.10\u003c/td\u003e\u003ctd\u003eCommercial\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e3.0.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e2.2.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003eNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\u003cbr\u003e\u003cbr\u003eNo other mitigation steps are necessary.\u003cbr\u003e"
            }
          ],
          "value": "Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\u00a0header when making requests to Vault.\nYour application may be affected by this if the following are true:\n  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and\n  *  You are using the X-CONFIG-TOKEN\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\n  *  You are using the default Spring Vault SessionManager\u00a0implementation LifecycleAwareSessionManager\u00a0or a SessionManager\u00a0implementation that persists the Vault token such as SimpleSessionManager.\n\nIn this case the SessionManager\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\u00a0header with a different value.\nAffected Spring Products and Versions\nSpring Cloud Config:\n  *  2.2.1.RELEASE - 4.2.1\n\n\nMitigation\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\n\nNo other mitigation steps are necessary."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-10T17:26:56.755Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2025-22232"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spring Cloud Config Server May Not Use Vault Token Sent By Clients",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf you cannot upgrade, then you can either:\u003c/p\u003e\u003col\u003e\u003cli\u003eRemove Spring Vault from the classpath if it is not needed or\u003c/li\u003e\u003cli\u003eImplement your own \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;that does not persist the Vault token and provide a bean using that implementation in a \u003ccode\u003e@Configuration\u003c/code\u003e\u0026nbsp;class. For example:\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e\u003ctt\u003e\u003cbr\u003epublic class StatelessSessionManager implements SessionManager {\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final ClientAuthentication clientAuthentication;\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final ReentrantLock lock = new ReentrantLock();\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public StatelessSessionManager(ClientAuthentication clientAuthentication) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; Assert.notNull(clientAuthentication, \"ClientAuthentication must not be null\");\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.clientAuthentication = clientAuthentication;\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public VaultToken getSessionToken() {\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.lock.lock();\u003cbr\u003e\u0026nbsp; \u0026nbsp; try {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; return this.clientAuthentication.login();\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; \u0026nbsp; finally {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; this.lock.unlock();\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e}\u003cbr\u003e\u003cbr\u003e@Configuration\u003cbr\u003epublic class MySessionManagerConfiguration extends SpringVaultClientConfiguration {\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final VaultEnvironmentProperties vaultProperties;\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public MySessionManagerConfiguration(VaultEnvironmentProperties vaultProperties, ConfigTokenProvider configTokenProvider, List\u0026lt;springvaultclientauthenticationprovider\u0026gt; authProviders) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; super(vaultProperties, configTokenProvider, authProviders);\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.vaultProperties = vaultProperties;\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e\u0026nbsp; @Bean\u003cbr\u003e\u0026nbsp; @Primary\u003cbr\u003e\u0026nbsp; public SessionManager sessionManager() {\u003cbr\u003e\u0026nbsp; \u0026nbsp; if (vaultProperties.getAuthentication() == null \u0026amp;\u0026amp; !StringUtils.hasText(vaultProperties.getToken())) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; return new StatelessSessionManager(clientAuthentication());\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; \u0026nbsp; return super.sessionManager();\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e}\u003cbr\u003e\u0026lt;/springvaultclientauthenticationprovider\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cbr\u003e"
            }
          ],
          "value": "If you cannot upgrade, then you can either:\n\n  *  Remove Spring Vault from the classpath if it is not needed or\n  *  Implement your own SessionManager\u00a0that does not persist the Vault token and provide a bean using that implementation in a @Configuration\u00a0class. For example:\n\n\npublic class StatelessSessionManager implements SessionManager {\n\n\u00a0 private final ClientAuthentication clientAuthentication;\n\n\u00a0 private final ReentrantLock lock = new ReentrantLock();\n\n\u00a0 public StatelessSessionManager(ClientAuthentication clientAuthentication) {\n\u00a0 \u00a0 Assert.notNull(clientAuthentication, \"ClientAuthentication must not be null\");\n\u00a0 \u00a0 this.clientAuthentication = clientAuthentication;\n\u00a0 }\n\n\u00a0 public VaultToken getSessionToken() {\n\u00a0 \u00a0 this.lock.lock();\n\u00a0 \u00a0 try {\n\u00a0 \u00a0 \u00a0 return this.clientAuthentication.login();\n\u00a0 \u00a0 }\n\u00a0 \u00a0 finally {\n\u00a0 \u00a0 \u00a0 this.lock.unlock();\n\u00a0 \u00a0 }\n\u00a0 }\n\n}\n\n@Configuration\npublic class MySessionManagerConfiguration extends SpringVaultClientConfiguration {\n\n\u00a0 private final VaultEnvironmentProperties vaultProperties;\n\n\u00a0 public MySessionManagerConfiguration(VaultEnvironmentProperties vaultProperties, ConfigTokenProvider configTokenProvider, List\u003cspringvaultclientauthenticationprovider\u003e authProviders) {\n\u00a0 \u00a0 super(vaultProperties, configTokenProvider, authProviders);\n\u00a0 \u00a0 this.vaultProperties = vaultProperties;\n\u00a0 }\n\n\u00a0 @Bean\n\u00a0 @Primary\n\u00a0 public SessionManager sessionManager() {\n\u00a0 \u00a0 if (vaultProperties.getAuthentication() == null \u0026\u0026 !StringUtils.hasText(vaultProperties.getToken())) {\n\u00a0 \u00a0 \u00a0 return new StatelessSessionManager(clientAuthentication());\n\u00a0 \u00a0 }\n\u00a0 \u00a0 return super.sessionManager();\n\u00a0 }\n}\n\u003c/springvaultclientauthenticationprovider\u003e"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2025-22232",
    "datePublished": "2025-04-10T17:26:56.755Z",
    "dateReserved": "2025-01-02T04:29:59.191Z",
    "dateUpdated": "2025-04-10T18:08:28.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22232\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2025-04-10T18:15:46.640\",\"lastModified\":\"2025-04-11T15:39:52.920\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\u00a0header when making requests to Vault.\\nYour application may be affected by this if the following are true:\\n  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and\\n  *  You are using the X-CONFIG-TOKEN\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\\n  *  You are using the default Spring Vault SessionManager\u00a0implementation LifecycleAwareSessionManager\u00a0or a SessionManager\u00a0implementation that persists the Vault token such as SimpleSessionManager.\\n\\nIn this case the SessionManager\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\u00a0header with a different value.\\nAffected Spring Products and Versions\\nSpring Cloud Config:\\n  *  2.2.1.RELEASE - 4.2.1\\n\\n\\nMitigation\\nUsers of affected versions should upgrade to the corresponding fixed version.\\n\\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\\n\\nNo other mitigation steps are necessary.\"},{\"lang\":\"es\",\"value\":\"Es posible que Spring Cloud Config Server no use el token de Vault enviado por los clientes que utilizan un encabezado X-CONFIG-TOKEN al realizar solicitudes a Vault. Su aplicaci\u00f3n puede verse afectada por esto si se cumplen las siguientes condiciones: * Tiene Spring Vault en la ruta de clase de su Spring Cloud Config Server y * Est\u00e1 usando el encabezado X-CONFIG-TOKEN para enviar un token de Vault a Spring Cloud Config Server para que Config Server lo use al realizar solicitudes a Vault y * Est\u00e1 usando la implementaci\u00f3n predeterminada de Spring Vault SessionManager, LifecycleAwareSessionManager, o una implementaci\u00f3n de SessionManager que persiste el token de Vault, como SimpleSessionManager. En este caso, SessionManager conserva el primer token que recupera y continuar\u00e1 usando ese token incluso si las solicitudes del cliente al Spring Cloud Config Server incluyen un encabezado X-CONFIG-TOKEN con un valor diferente. Productos y versiones de Spring afectados Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1 Mitigaci\u00f3n Los usuarios de las versiones afectadas deben actualizar a la versi\u00f3n corregida correspondiente.Versi\u00f3n corregida Disponibilidad4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Comercial3.1.x3.1.10Comercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTA: Spring Cloud Config 3.0.x y 2.2.x ya no cuentan con soporte comercial o de c\u00f3digo abierto. Se recomienda a los usuarios de estas versiones que las actualicen a una versi\u00f3n compatible. No son necesarias otras medidas de mitigaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2025-22232\",\"source\":\"security@vmware.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22232\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-10T18:08:12.310467Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-10T18:08:15.882Z\"}}], \"cna\": {\"title\": \"Spring Cloud Config Server May Not Use Vault Token Sent By Clients\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring Cloud Config\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2.x\", \"lessThan\": \"4.2.2\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.1.x\", \"lessThan\": \"4.1.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.0.x\", \"lessThan\": \"4.0.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.x\", \"lessThan\": \"3.1.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.x\", \"lessThan\": \"4.1.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2.x\", \"lessThan\": \"4.1.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-04-07T16:40:00.000Z\", \"references\": [{\"url\": \"https://spring.io/security/cve-2025-22232\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"If you cannot upgrade, then you can either:\\n\\n  *  Remove Spring Vault from the classpath if it is not needed or\\n  *  Implement your own SessionManager\\u00a0that does not persist the Vault token and provide a bean using that implementation in a @Configuration\\u00a0class. For example:\\n\\n\\npublic class StatelessSessionManager implements SessionManager {\\n\\n\\u00a0 private final ClientAuthentication clientAuthentication;\\n\\n\\u00a0 private final ReentrantLock lock = new ReentrantLock();\\n\\n\\u00a0 public StatelessSessionManager(ClientAuthentication clientAuthentication) {\\n\\u00a0 \\u00a0 Assert.notNull(clientAuthentication, \\\"ClientAuthentication must not be null\\\");\\n\\u00a0 \\u00a0 this.clientAuthentication = clientAuthentication;\\n\\u00a0 }\\n\\n\\u00a0 public VaultToken getSessionToken() {\\n\\u00a0 \\u00a0 this.lock.lock();\\n\\u00a0 \\u00a0 try {\\n\\u00a0 \\u00a0 \\u00a0 return this.clientAuthentication.login();\\n\\u00a0 \\u00a0 }\\n\\u00a0 \\u00a0 finally {\\n\\u00a0 \\u00a0 \\u00a0 this.lock.unlock();\\n\\u00a0 \\u00a0 }\\n\\u00a0 }\\n\\n}\\n\\n@Configuration\\npublic class MySessionManagerConfiguration extends SpringVaultClientConfiguration {\\n\\n\\u00a0 private final VaultEnvironmentProperties vaultProperties;\\n\\n\\u00a0 public MySessionManagerConfiguration(VaultEnvironmentProperties vaultProperties, ConfigTokenProvider configTokenProvider, List\u003cspringvaultclientauthenticationprovider\u003e authProviders) {\\n\\u00a0 \\u00a0 super(vaultProperties, configTokenProvider, authProviders);\\n\\u00a0 \\u00a0 this.vaultProperties = vaultProperties;\\n\\u00a0 }\\n\\n\\u00a0 @Bean\\n\\u00a0 @Primary\\n\\u00a0 public SessionManager sessionManager() {\\n\\u00a0 \\u00a0 if (vaultProperties.getAuthentication() == null \u0026\u0026 !StringUtils.hasText(vaultProperties.getToken())) {\\n\\u00a0 \\u00a0 \\u00a0 return new StatelessSessionManager(clientAuthentication());\\n\\u00a0 \\u00a0 }\\n\\u00a0 \\u00a0 return super.sessionManager();\\n\\u00a0 }\\n}\\n\u003c/springvaultclientauthenticationprovider\u003e\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIf you cannot upgrade, then you can either:\u003c/p\u003e\u003col\u003e\u003cli\u003eRemove Spring Vault from the classpath if it is not needed or\u003c/li\u003e\u003cli\u003eImplement your own \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;that does not persist the Vault token and provide a bean using that implementation in a \u003ccode\u003e@Configuration\u003c/code\u003e\u0026nbsp;class. For example:\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e\u003ctt\u003e\u003cbr\u003epublic class StatelessSessionManager implements SessionManager {\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final ClientAuthentication clientAuthentication;\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final ReentrantLock lock = new ReentrantLock();\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public StatelessSessionManager(ClientAuthentication clientAuthentication) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; Assert.notNull(clientAuthentication, \\\"ClientAuthentication must not be null\\\");\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.clientAuthentication = clientAuthentication;\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public VaultToken getSessionToken() {\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.lock.lock();\u003cbr\u003e\u0026nbsp; \u0026nbsp; try {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; return this.clientAuthentication.login();\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; \u0026nbsp; finally {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; this.lock.unlock();\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e}\u003cbr\u003e\u003cbr\u003e@Configuration\u003cbr\u003epublic class MySessionManagerConfiguration extends SpringVaultClientConfiguration {\u003cbr\u003e\u003cbr\u003e\u0026nbsp; private final VaultEnvironmentProperties vaultProperties;\u003cbr\u003e\u003cbr\u003e\u0026nbsp; public MySessionManagerConfiguration(VaultEnvironmentProperties vaultProperties, ConfigTokenProvider configTokenProvider, List\u0026lt;springvaultclientauthenticationprovider\u0026gt; authProviders) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; super(vaultProperties, configTokenProvider, authProviders);\u003cbr\u003e\u0026nbsp; \u0026nbsp; this.vaultProperties = vaultProperties;\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e\u003cbr\u003e\u0026nbsp; @Bean\u003cbr\u003e\u0026nbsp; @Primary\u003cbr\u003e\u0026nbsp; public SessionManager sessionManager() {\u003cbr\u003e\u0026nbsp; \u0026nbsp; if (vaultProperties.getAuthentication() == null \u0026amp;\u0026amp; !StringUtils.hasText(vaultProperties.getToken())) {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; return new StatelessSessionManager(clientAuthentication());\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u0026nbsp; \u0026nbsp; return super.sessionManager();\u003cbr\u003e\u0026nbsp; }\u003cbr\u003e}\u003cbr\u003e\u0026lt;/springvaultclientauthenticationprovider\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\\u00a0header when making requests to Vault.\\nYour application may be affected by this if the following are true:\\n  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and\\n  *  You are using the X-CONFIG-TOKEN\\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\\n  *  You are using the default Spring Vault SessionManager\\u00a0implementation LifecycleAwareSessionManager\\u00a0or a SessionManager\\u00a0implementation that persists the Vault token such as SimpleSessionManager.\\n\\nIn this case the SessionManager\\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\\u00a0header with a different value.\\nAffected Spring Products and Versions\\nSpring Cloud Config:\\n  *  2.2.1.RELEASE - 4.2.1\\n\\n\\nMitigation\\nUsers of affected versions should upgrade to the corresponding fixed version.\\n\\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\\n\\nNo other mitigation steps are necessary.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Spring Cloud Config Server may not use Vault token sent by clients using a \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header when making requests to Vault.\u003cbr\u003eYour application may be affected by this if the following are true:\u003cbr\u003e\u003col\u003e\u003cli\u003eYou have Spring Vault on the classpath of your Spring Cloud Config Server and\u003c/li\u003e\u003cli\u003eYou are using the \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\u003c/li\u003e\u003cli\u003eYou are using the default Spring Vault \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;implementation \u003ccode\u003eLifecycleAwareSessionManager\u003c/code\u003e\u0026nbsp;or a \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;implementation that persists the Vault token such as \u003ccode\u003eSimpleSessionManager\u003c/code\u003e.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003eIn this case the \u003ccode\u003eSessionManager\u003c/code\u003e\u0026nbsp;persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a \u003ccode\u003eX-CONFIG-TOKEN\u003c/code\u003e\u0026nbsp;header with a different value.\u003cbr\u003eAffected Spring Products and Versions\u003cbr\u003eSpring Cloud Config:\u003cbr\u003e\u003cul\u003e\u003cli\u003e2.2.1.RELEASE - 4.2.1\u003c/li\u003e\u003c/ul\u003eMitigation\u003cbr\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected version(s)\u003c/th\u003e\u003cth\u003eFix version\u003c/th\u003e\u003cth\u003eAvailability\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e4.2.x\u003c/td\u003e\u003ctd\u003e4.2.2\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e4.1.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e4.0.x\u003c/td\u003e\u003ctd\u003e4.0.10\u003c/td\u003e\u003ctd\u003eCommercial\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e3.1.x\u003c/td\u003e\u003ctd\u003e3.1.10\u003c/td\u003e\u003ctd\u003eCommercial\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e3.0.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e2.2.x\u003c/td\u003e\u003ctd\u003e4.1.6\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003eNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\u003cbr\u003e\u003cbr\u003eNo other mitigation steps are necessary.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2025-04-10T17:26:56.755Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22232\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-10T18:08:28.560Z\", \"dateReserved\": \"2025-01-02T04:29:59.191Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2025-04-10T17:26:56.755Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2025-0762

Vulnerability from csaf_certbund

Published

2025-04-08 22:00

Modified

2025-04-08 22:00

Summary

VMware Tanzu Spring Cloud: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Spring Cloud stellt Entwicklern Tools zur Verfügung, mit denen sie schnell einige der gängigen Muster in verteilten Systemen erstellen können.

Angriff

Ein authentisierter Angreifer kann eine Schwachstelle in VMware Tanzu Spring Cloud ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Spring Cloud stellt Entwicklern Tools zur Verf\u00fcgung, mit denen sie schnell einige der g\u00e4ngigen Muster in verteilten Systemen erstellen k\u00f6nnen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein authentisierter  Angreifer kann eine Schwachstelle in VMware Tanzu Spring Cloud ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0762 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0762.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0762 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0762"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisory CVE-2025-22232 vom 2025-04-08",
        "url": "https://spring.io/security/cve-2025-22232"
      },
      {
        "category": "external",
        "summary": "Spring Cloud Config Release vom 2025-04-08",
        "url": "https://spring.io/blog/2025/04/07/spring-cloud-config-3-1-10-4-0-10-4-1-6-4-2-1-4-3-0-m3-released"
      }
    ],
    "source_lang": "en-US",
    "title": "VMware Tanzu Spring Cloud: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2025-04-08T22:00:00.000+00:00",
      "generator": {
        "date": "2025-04-09T08:20:42.407+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0762",
      "initial_release_date": "2025-04-08T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-04-08T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Config \u003c3.1.10",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config \u003c3.1.10",
                  "product_id": "T042660"
                }
              },
              {
                "category": "product_version",
                "name": "Config 3.1.10",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config 3.1.10",
                  "product_id": "T042660-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_cloud:config__3.1.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Config \u003c4.0.10",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config \u003c4.0.10",
                  "product_id": "T042661"
                }
              },
              {
                "category": "product_version",
                "name": "Config 4.0.10",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config 4.0.10",
                  "product_id": "T042661-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_cloud:config__4.0.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Config \u003c4.1.6",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config \u003c4.1.6",
                  "product_id": "T042662"
                }
              },
              {
                "category": "product_version",
                "name": "Config 4.1.6",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config 4.1.6",
                  "product_id": "T042662-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_cloud:config__4.1.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Config \u003c4.2.1",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config \u003c4.2.1",
                  "product_id": "T042663"
                }
              },
              {
                "category": "product_version",
                "name": "Config 4.2.1",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config 4.2.1",
                  "product_id": "T042663-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_cloud:config__4.2.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Config \u003c4.3.0-M3",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config \u003c4.3.0-M3",
                  "product_id": "T042664"
                }
              },
              {
                "category": "product_version",
                "name": "Config 4.3.0-M3",
                "product": {
                  "name": "VMware Tanzu Spring Cloud Config 4.3.0-M3",
                  "product_id": "T042664-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_cloud:config__4.3.0-m3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Cloud"
          }
        ],
        "category": "vendor",
        "name": "VMware Tanzu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-22232",
      "product_status": {
        "known_affected": [
          "T042662",
          "T042663",
          "T042664",
          "T042660",
          "T042661"
        ]
      },
      "release_date": "2025-04-08T22:00:00.000+00:00",
      "title": "CVE-2025-22232"
    }
  ]
}

ghsa-qpfh-2wpm-c362

Vulnerability from github

Published

2025-04-10 18:32

Modified

2025-04-10 18:32

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1

Mitigation Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.

No other mitigation steps are necessary.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-22232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\u00a0header when making requests to Vault.\nYour application may be affected by this if the following are true:\n  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and\n  *  You are using the X-CONFIG-TOKEN\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\n  *  You are using the default Spring Vault SessionManager\u00a0implementation LifecycleAwareSessionManager\u00a0or a SessionManager\u00a0implementation that persists the Vault token such as SimpleSessionManager.\n\nIn this case the SessionManager\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\u00a0header with a different value.\nAffected Spring Products and Versions\nSpring Cloud Config:\n  *  2.2.1.RELEASE - 4.2.1\n\n\nMitigation\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\n\nNo other mitigation steps are necessary.",
  "id": "GHSA-qpfh-2wpm-c362",
  "modified": "2025-04-10T18:32:03Z",
  "published": "2025-04-10T18:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22232"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2025-22232"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2025-22232

Vulnerability from fkie_nvd

Published

2025-04-10 18:15

Modified

2025-04-11 15:39

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

▶	URL	Tags
	security@vmware.com	https://spring.io/security/cve-2025-22232

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\u00a0header when making requests to Vault.\nYour application may be affected by this if the following are true:\n  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and\n  *  You are using the X-CONFIG-TOKEN\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\n  *  You are using the default Spring Vault SessionManager\u00a0implementation LifecycleAwareSessionManager\u00a0or a SessionManager\u00a0implementation that persists the Vault token such as SimpleSessionManager.\n\nIn this case the SessionManager\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\u00a0header with a different value.\nAffected Spring Products and Versions\nSpring Cloud Config:\n  *  2.2.1.RELEASE - 4.2.1\n\n\nMitigation\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\n\nNo other mitigation steps are necessary."
    },
    {
      "lang": "es",
      "value": "Es posible que Spring Cloud Config Server no use el token de Vault enviado por los clientes que utilizan un encabezado X-CONFIG-TOKEN al realizar solicitudes a Vault. Su aplicaci\u00f3n puede verse afectada por esto si se cumplen las siguientes condiciones: * Tiene Spring Vault en la ruta de clase de su Spring Cloud Config Server y * Est\u00e1 usando el encabezado X-CONFIG-TOKEN para enviar un token de Vault a Spring Cloud Config Server para que Config Server lo use al realizar solicitudes a Vault y * Est\u00e1 usando la implementaci\u00f3n predeterminada de Spring Vault SessionManager, LifecycleAwareSessionManager, o una implementaci\u00f3n de SessionManager que persiste el token de Vault, como SimpleSessionManager. En este caso, SessionManager conserva el primer token que recupera y continuar\u00e1 usando ese token incluso si las solicitudes del cliente al Spring Cloud Config Server incluyen un encabezado X-CONFIG-TOKEN con un valor diferente. Productos y versiones de Spring afectados Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1 Mitigaci\u00f3n Los usuarios de las versiones afectadas deben actualizar a la versi\u00f3n corregida correspondiente.Versi\u00f3n corregida Disponibilidad4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Comercial3.1.x3.1.10Comercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTA: Spring Cloud Config 3.0.x y 2.2.x ya no cuentan con soporte comercial o de c\u00f3digo abierto. Se recomienda a los usuarios de estas versiones que las actualicen a una versi\u00f3n compatible. No son necesarias otras medidas de mitigaci\u00f3n."
    }
  ],
  "id": "CVE-2025-22232",
  "lastModified": "2025-04-11T15:39:52.920",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-10T18:15:46.640",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://spring.io/security/cve-2025-22232"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@vmware.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-22232 (GCVE-0-2025-22232)

Vulnerability from cvelistv5

wid-sec-w-2025-0762

Vulnerability from csaf_certbund

ghsa-qpfh-2wpm-c362

Vulnerability from github

fkie_cve-2025-22232

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature