Externally controlled reference to a resource in another sphere in Spring Cloud Netflix - CVE-2020-5412

 

Externally controlled reference to a resource in another sphere in Spring Cloud Netflix - CVE-2020-5412

Published: February 12, 2021


Vulnerability identifier: #VU50663
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5412
CWE-ID: CWE-610
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Spring
Affected software:
Spring Cloud Netflix

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.


How to mitigate CVE-2020-5412

Install updates from vendor's website.

Sources