Main Vulnerability Database SB2020080713

SB2020080713 - Information disclosure in Spring Cloud Netflix

Published: August 7, 2020 Updated: February 12, 2021

Security Bulletin ID SB2020080713

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Externally controlled reference to a resource in another sphere (CVE-ID: CVE-2020-5412)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.

Remediation

Install update from vendor's website.

References

https://tanzu.vmware.com/security/cve-2020-5412