Vulnerabilities (CVE)

Filtered by vendor Vmware Subscribe
Filtered by product Spring Cloud Netflix
Total 2 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-22053 1 Vmware 1 Spring Cloud Netflix 2024-11-21 6.5 MEDIUM 8.8 HIGH
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
CVE-2020-5412 1 Vmware 1 Spring Cloud Netflix 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.