A vulnerability was found in Spring Cloud Netflix up to 2.1.5/2.2.3 (Cloud Software). It has been declared as critical. Affected by this vulnerability is an unknown function of the component Hystrix Dashboard. The manipulation with an unknown input leads to a confused deputy vulnerability. The CWE definition for the vulnerability is CWE-441. The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

The weakness was disclosed 08/07/2020 (Website). The advisory is shared at tanzu.vmware.com. This vulnerability is known as CVE-2020-5412 since 01/03/2020. The attack can be launched remotely. The successful exploitation requires a single authentication. Neither technical details nor an exploit are publicly available.

Upgrading to version 2.1.6 or 2.2.4 eliminates this vulnerability.

Productinfo

Type

• Cloud Software

Vendor

• Spring

Name

• Cloud Netflix

Version

• 2.1.0
• 2.1.1
• 2.1.2
• 2.1.3
• 2.1.4
• 2.1.5
• 2.2.0
• 2.2.1
• 2.2.2
• 2.2.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion