Spring WS exhibits a Server-Side Request Forgery vulnerability that allows remote attackers to force the server to initiate unauthorized outbound connections via crafted WS-Addressing headers.

This is a Server-Side Request Forgery (SSRF) vulnerability occurring when an AbstractAddressingEndpointMapping subclass is used. Attackers can supply crafted wsa:ReplyTo or wsa:FaultTo headers, causing the server to initiate outbound connections to internal hosts or sensitive cloud metadata endpoints without verification.

With a CVSS score of 8.6, this vulnerability poses a high risk to applications using Spring WS in specific configurations. Successful exploitation can lead to internal network reconnaissance, access to cloud environment credentials via metadata services, and potential compromise of internal-only services, significantly damaging the security posture of the host environment.

Immediate Action: Review your Spring WS configuration and apply the recommended security updates or configuration changes provided by the vendor.

Proactive Monitoring: Inspect logs for unusual outbound connection attempts originating from the service, particularly those targeting internal IP ranges or cloud metadata endpoints.

Compensating Controls: Implement a restrictive destination validator or network-level egress control policies to ensure the application can only communicate with authorized, expected endpoints.

Public Exploit Available: null

Given the potential for SSRF to expose internal environments, administrators must immediately assess their Spring WS implementations to determine if they meet the criteria for vulnerability. Applying the vendor's recommended mitigations is critical to preventing unauthorized lateral movement or information disclosure within the network.