Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-5412 |
CWE-ID | CWE-610 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Spring Cloud Netflix Web applications / Other software |
Vendor | Spring |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU50663
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5412
CWE-ID:
CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpring Cloud Netflix: 2.0.0 - 2.2.3
External linkshttp://tanzu.vmware.com/security/cve-2020-5412
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.