CVE-2020-5412 – org.springframework.cloud:spring-cloud-netflix

Package

Manager: maven
Name: org.springframework.cloud:spring-cloud-netflix
Vulnerable Version: >=2.2.0 <2.2.4 || >=2.1.0 <2.1.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.91356 pctl0.99648

Details

Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Metadata

Created: 2021-04-30T17:29:42Z
Modified: 2021-04-27T21:33:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-qgcg-p3v2-9h4p/GHSA-qgcg-p3v2-9h4p.json
CWE IDs: ["CWE-441", "CWE-610"]
Alternative ID: GHSA-qgcg-p3v2-9h4p
Finding: F098
Auto approve: 1