Vulnerabilites related to Spring by VMware - Spring Cloud Netflix
CVE-2020-5412 (GCVE-0-2020-5412)
Vulnerability from cvelistv5
Published
2020-08-07 20:45
Modified
2024-09-16 18:24
Severity ?
CWE
  • CWE-441 - Unintended Proxy or Intermediary
Summary
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
References
Impacted products
Vendor Product Version
Spring by VMware Spring Cloud Netflix Version: 2.2   < 2.2.4
Version: 2.1   < 2.1.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:30:24.134Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2020-5412"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Cloud Netflix",
          "vendor": "Spring by VMware",
          "versions": [
            {
              "lessThan": "2.2.4",
              "status": "affected",
              "version": "2.2",
              "versionType": "custom"
            },
            {
              "lessThan": "2.1.6",
              "status": "affected",
              "version": "2.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-08-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-07T20:45:13",
        "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "shortName": "pivotal"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tanzu.vmware.com/security/cve-2020-5412"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pivotal.io",
          "DATE_PUBLIC": "2020-08-05T00:00:00.000Z",
          "ID": "CVE-2020-5412",
          "STATE": "PUBLIC",
          "TITLE": "Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Cloud Netflix",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.2",
                            "version_value": "2.2.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.1",
                            "version_value": "2.1.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring by VMware"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-441: Unintended Proxy or Intermediary"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tanzu.vmware.com/security/cve-2020-5412",
              "refsource": "CONFIRM",
              "url": "https://tanzu.vmware.com/security/cve-2020-5412"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
    "assignerShortName": "pivotal",
    "cveId": "CVE-2020-5412",
    "datePublished": "2020-08-07T20:45:13.154243Z",
    "dateReserved": "2020-01-03T00:00:00",
    "dateUpdated": "2024-09-16T18:24:52.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}