Vulnerability identifier: #VU50663
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-610
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Spring Cloud Netflix
Web applications /
Other software
Vendor: Spring
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application allows to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A remote user can send a request to other servers that should not be exposed publicly.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Spring Cloud Netflix: 2.0.0 - 2.2.3
External links
http://tanzu.vmware.com/security/cve-2020-5412
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.