CVE-2021-22053

HIGH7.6EPSS 89.6%

Code injection in spring-cloud-netflix-hystrix-dashboard

Published: 11/23/2021Modified: 11/8/2023

Description

Applications using the `spring-cloud-netflix-hystrix-dashboard` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Affected packages (1)

Maven/org.springframework.cloud:spring-cloud-netflix-hystrix-dashboardfrom 0, < 2.2.10.RELEASE

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

References (2)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22053
WEBhttps://tanzu.vmware.com/security/cve-2021-22053