Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard
CVE-2020-5412

6.5MEDIUM

Key Information:

Vendor: Spring By Vmware
Status: Spring Cloud Netflix
Vendor: CVE Published:; 7 August 2020

What is CVE-2020-5412?

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Affected Version(s)

Spring Cloud Netflix 2.2 < 2.2.4

Spring Cloud Netflix 2.1 < 2.1.6

References

https://tanzu.vmware.com/security/cve-2020-5412

x_refsource_CONFIRM

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 7, 2020
Vulnerability Reserved
Jan 3, 2020