3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31679

GHSA ID

GHSA-fv7x-v67w-cvqv

EPSS Score

0.51127%

CWE

Published

9/22/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31679

CVE-2022-31679: Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31679

GHSA ID

GHSA-fv7x-v67w-cvqv

EPSS Score

0.51127%

CWE

Published

9/22/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.data:spring-data-rest-core	maven	>= 3.6.0, < 3.6.7	3.6.7
org.springframework.data:spring-data-rest-core	maven	>= 3.7.0, < 3.7.3	3.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient property visibility checks during JSON Patch processing. The commit introduces BindContext to validate readable/writable properties using Jackson's metadata. Key vulnerable functions include: 1) JsonPatchHandler.applyPatch (lacked context-aware validation), 2) SpelPath.bindTo (path resolution without visibility checks), and 3) MappedProperties.isWritableProperty (incomplete Jackson annotation handling). The patch adds BindContextFactory and JacksonBindContext to properly respect @JsonIgnore and @JsonIgnoreProperties, indicating these were missing in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ppli**tions t**t *llow *TTP P*T** ****ss to r*sour**s *xpos** *y Sprin* **t* R*ST in v*rsions *.*.* - *.*.*, *.*.* - *.*.*, *n* ol**r unsupport** v*rsions, i* *n *tt**k*r knows **out t** stru*tur* o* t** un**rlyin* *om*in mo**l, t**y **n *r**t *TTP

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt prop*rty visi*ility ****ks *urin* JSON P*t** pro**ssin*. T** *ommit intro*u**s *in**ont*xt to v*li**t* r*****l*/writ**l* prop*rti*s usin* J**kson's m*t***t*. K*y vuln*r**l* *un*tions in*lu**: *) JsonP*t****n*

3.7

Basic Information

Concerned about an active attack path?

CVE-2022-31679: Spring Data REST can expose hidden entity attributes

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI