CVE-2020-5412

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-5412

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5412.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-5412

Aliases

GHSA-qgcg-p3v2-9h4p

Withdrawn

2024-05-15T05:33:54.245237Z

Published

2020-08-07T21:15:10Z

Modified

2023-11-29T08:34:25.958213Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

References

https://tanzu.vmware.com/security/cve-2020-5412

Affected packages

Git / github.com/spring-cloud/spring-cloud-netflix

Affected ranges

Type: GIT
Repo: https://github.com/spring-cloud/spring-cloud-netflix
Events: Introduced

4164297a89bada128f3363541abbf4151ecb558b

Fixed

a579eb4594713f2f92c90600d74ab7d3930b22b7

Affected versions

v2.*

v2.1.4.RELEASE

v2.2.0.RELEASE

v2.2.1.RELEASE

v2.2.2.RELEASE

v2.2.3.RELEASE