Spring Cloud 漏洞列表

Spring Cloud Gateway 是一个基于Spring框架的API网关组件。该漏洞源于对Spring环境属性修改的不当处理，当满足以下条件时，攻击者可利用该漏洞执行任意代码：应用程序使用Spring Cloud Gateway Server Webflux(4.3.0-4.3.x、4.2.0-4.2.x、4.1.0-4.1.x、4.0.0-4.0.x、3.1.0-3.1.x等版本)、依赖Spring Boot actuator、启用了gateway端点且端点未受保护。

攻击者可以通过访问系统中注册的@systemPropertiesbean，修改配置属性，从而关闭限制性模式。一旦成功绕过限制，攻击者就能够访问@environment等敏感bean，实现应用程序配置信息的泄露，在特定条件下甚至可能实现远程代码执行.

Spring Cloud Function 是基于Spring Boot 的函数计算框架，它抽象出所有传输细节和基础架构，允许开发人员保留所有熟悉的工具和流程，并专注于业务逻辑。 由于Spring Cloud Function中RoutingFunction类的apply方法将请求头中的“spring.cloud.function.routing-expression”参数作为Spel表达式进行处理，造成了Spel表达式注入漏洞，未经授权的远程攻击者可利用该漏洞执行任意代码。 Fofa: app="vmware-SpringBoot-framework"

Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially crafted URL that can lead to a directory traversal attack.

Spring Cloud Config versions 2.2.x prior to 2.2.2, 2.1.x prior to 2.1.7, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files through the spring-cloud-config-server module.

Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.

Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.

Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially crafted URL that can lead to a directory traversal attack.

Spring Cloud Config versions 2.2.x prior to 2.2.2, 2.1.x prior to 2.1.7, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files through the spring-cloud-config-server module.

Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.

Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.

Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

文件上传漏洞发生在应用程序允许用户上传文件的功能中，如果上传功能未能正确地验证和限制上传文件的类型和内容，攻击者可能利用此漏洞上传恶意文件，如包含可执行代码的脚本文件，从而在服务器上执行任意命令，控制或破坏系统。 详情链接：https://spring.io/security/cve-2024-22263

Spring Cloud Data Flow 反序列化漏洞 可导致代码执行

Spring Cloud Function 是基于Spring Boot 的函数计算框架，通过对传输细节和基础架构进行抽象，为开发人员保留熟悉的开发工具和开发流程，使开发人员专注在实现业务逻辑上，从而提升开发效率。访问Spring Cloud Function的 HTTP请求头中存在 spring.cloud.function.routing-expression参数，其 SpEL表达式可进行注入攻击，并通过 StandardEvaluationContext解析执行。最终，攻击者可通过该漏洞进行远程命令执行。

VMware Spring Cloud Data Flow是美国威睿（VMware）公司的一款用于微服务中流式处理和批处理数据的代码库。 VMware Spring Cloud Data Flow 2.11.0版本至2.11.3版本存在安全漏洞，该漏洞源于有权访问服务器API的恶意用户可以使用特制请求将任意文件写入文件系统上的任何位置。

Spring Cloud Data Flow 任意文件上传漏洞

Spring Cloud Config存在目录遍历漏洞，此漏洞是由于应用程序对请求路径没有进行充分校验导致的。

Spring CloudConfig，为微服务架构中的微服务提供集中化的外部配置支持，配置服务器为各个不同微服务应用的所有环境提供了一个中心化的外部配置。Spring CloudConfig，2.2.2之前的2.2.x版本，2.1.7之前的2.1.x版本，以及更早的不受支持的版本，允许应用程序通过Spring-Cloud-CONFIG-SERVER模块提供任意配置文件。恶意用户或攻击者可以使用巧尽心思构建的URL发送请求，从而导致目录遍历攻击。

Spring Cloud Function存在SPEL表达式注入漏洞，此漏洞是缺乏校验导致的。

Spring Cloud Function存在spel表达式注入漏洞

Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API网关，它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。当Spring Cloud Gateway启用和暴露 Gateway Actuator端点时，使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求，从而远程执行任意代码。