Externally controlled reference to a resource in another sphere in Spring Cloud Netflix

#VU50663 Externally controlled reference to a resource in another sphere in Spring Cloud Netflix

Published: 2021-02-12

Vulnerability identifier: #VU50663

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5412

CWE-ID: CWE-610

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Spring Cloud Netflix
Web applications / Other software

Vendor: Spring

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Cloud Netflix: 2.0.0 - 2.2.3

External links
http://tanzu.vmware.com/security/cve-2020-5412

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Spring Cloud Netflix