CVE-2021-22053
HIGH7.6EPSS 89.6%Code injection in spring-cloud-netflix-hystrix-dashboard
發布日:2021/11/23修改日:2023/11/8
描述
Applications using the `spring-cloud-netflix-hystrix-dashboard` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
受影響套件(1)
- Maven/org.springframework.cloud:spring-cloud-netflix-hystrix-dashboardfrom 0, < 2.2.10.RELEASE
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |