CVE-2021-22053
N/A
N/A
Summary
Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | Spring Cloud Netflix | Spring Cloud Netflix versions 2.2.x prior to 2.2.10.Release + and old unsupported versions | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.