This vulnerability in VMware Spring Security affects servlet applications that rely on lazy writing of HTTP response headers. When applications specify HTTP headers, these headers may not be written to the response, potentially leading to security issues related to missing or incomplete HTTP headers. The affected versions include Spring Security releases from 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3. The CVSS 3.1 vector indicates the vulnerability is remotely exploitable without authentication or user interaction, with high impact on confidentiality and integrity but no impact on availability. The CWE-425 classification relates to improper handling of HTTP headers. No vendor advisory or patch links are provided, so patch status is unknown.

The vulnerability can cause HTTP response headers to not be written as intended, which may lead to security controls being bypassed or information disclosure due to missing security headers. The CVSS score of 9.1 reflects a critical severity with high confidentiality and integrity impact, meaning attackers could potentially manipulate or gain unauthorized access to sensitive information. There is no indication of availability impact. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users of affected Spring Security versions should monitor VMware's advisories closely for updates. Until a fix is available, consider reviewing application configurations related to HTTP header management and evaluate if disabling lazy header writing or applying workarounds is possible based on vendor guidance once released.