Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnY2ctcDN2Mi05aDRw
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
Permalink: https://github.com/advisories/GHSA-qgcg-p3v2-9h4pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnY2ctcDN2Mi05aDRw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
Identifiers: GHSA-qgcg-p3v2-9h4p, CVE-2020-5412
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-5412
- https://tanzu.vmware.com/security/cve-2020-5412
- https://github.com/advisories/GHSA-qgcg-p3v2-9h4p
Affected Packages
maven:org.springframework.cloud:spring-cloud-netflix
Dependent packages: 20Dependent repositories: 253
Downloads:
Affected Version Ranges: >= 2.1.0, < 2.1.6, >= 2.2.0, < 2.2.4
Fixed in: 2.1.6, 2.2.4
All affected versions:
All unaffected versions: 3.0.0, 3.0.1, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.3