Information disclosure in Spring Cloud Netflix



Published: 2020-08-07 | Updated: 2021-02-12
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-5412
CWE-ID CWE-610
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Spring Cloud Netflix
Web applications / Other software

Vendor Spring

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Externally controlled reference to a resource in another sphere

EUVDB-ID: #VU50663

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5412

CWE-ID: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Spring Cloud Netflix: 2.0.0 - 2.2.3

External links

http://tanzu.vmware.com/security/cve-2020-5412


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###