CVE-2020-5412

CVE Database · CVE-2020-5412

CVE-2020-5412

· MEDIUMModified

CVSS v3.1

6.5

EPSS

10.21%

Published

Aug 7, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-441CWE-610

Affected Products (2)

vmware · spring_cloud_netflix (up to 2.1.6)vulnerable

vmware · spring_cloud_netflix (up to 2.2.4)vulnerable

References (2)

https://tanzu.vmware.com/security/cve-2020-5412

Vendor Advisory

https://tanzu.vmware.com/security/cve-2020-5412

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs