Published: 19/11/2021 Updated: 23/11/2021

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware spring cloud netflix

Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability Severity High Vendor Spring by VMware Description Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates When a request is made at /hystrix/m

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability

CVE-2021-22053 CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability Description Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates When a request is made at /hystrix/monitor;[user-provided d

CWE-94 https://tanzu.vmware.com/security/cve-2021-22053 https://nvd.nist.gov https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053

CVE-2021-22053

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect