CVE-2020-5412

Summary

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Affected Software

VendorProductVersion RangeStatus
Spring by VMwareSpring Cloud Netflix2.2 < 2.2.4affected
Spring by VMwareSpring Cloud Netflix2.1 < 2.1.6affected

Weaknesses

  • CWE-441: CWE-441: Unintended Proxy or Intermediary

ADP Enrichment

CVE Program Container

Additional References

References