// For flags

CVE-2020-5412

Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Spring Cloud Netflix, versiones 2.2.x anteriores a 2.2.4, versiones 2.1.x anteriores a 2.1.6 y versiones anteriores no compatibles, permiten a las aplicaciones utilizar el endpoint proxy.stream de Hystrix Dashboard para hacer peticiones a cualquier servidor accesible por parte del servidor de que aloja el panel de control. Un usuario malicioso, o atacante, puede enviar una petición hacia otros servidores que no deberían estar expuestos públicamente

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-03 CVE Reserved
  • 2020-08-07 CVE Published
  • 2024-09-16 CVE Updated
  • 2024-11-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://tanzu.vmware.com/security/cve-2020-5412 2020-08-11
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vmware
Search vendor "Vmware"
 Spring Cloud Netflix
Search vendor "Vmware" for product "Spring Cloud Netflix"
 < 2.1.6
Search vendor "Vmware" for product "Spring Cloud Netflix" and version " < 2.1.6"
-
Affected
Vmware
Search vendor "Vmware"
 Spring Cloud Netflix
Search vendor "Vmware" for product "Spring Cloud Netflix"
 >= 2.2.0 < 2.2.4
Search vendor "Vmware" for product "Spring Cloud Netflix" and version " >= 2.2.0 < 2.2.4"
-
Affected