GHSA-gx3f-hq7p-8fxv

Опубликовано: 23 нояб. 2021

Источник: github

Github: Прошло ревью

CVSS3: 7.6

Описание

Code injection in spring-cloud-netflix-hystrix-dashboard

Applications using the spring-cloud-netflix-hystrix-dashboard expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

Ссылки

Пакеты

Наименование

org.springframework.cloud:spring-cloud-netflix-hystrix-dashboard

maven

Затронутые версииВерсия исправления

<= 2.2.9.RELEASE

2.2.10.RELEASE

EPSS

Процентиль: 99%

0.85682

Высокий

7.6 High

CVSS3

CVE ID

CVE-2021-22053

Дефекты

CWE-94

Связанные уязвимости

CVE-2021-22053

CVSS3: 8.8

nvd

около 4 лет назад

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

EPSS

Процентиль: 99%

0.85682

Высокий

7.6 High

CVSS3

CVE ID

CVE-2021-22053

Дефекты

CWE-94