cnvd - cnvd-2021-39539

CNVD-2021-39539

Vulnerability from cnvd - Published: 2021-06-04

Title

VMware Spring Cloud Netflix存在未明漏洞

Description

Spring Cloud Netflix是各种Netflix OSS组件集成。 VMware Spring Cloud Netflix 2.2.4之前的2.2.x版本、2.1.6之前的2.1.x版本及不在支持的老版本中存在安全漏洞，攻击者可利用该漏洞向其他服务器发送请求。

Severity

中

Patch Name

VMware Spring Cloud Netflix存在未明漏洞的补丁

Patch Description

Spring Cloud Netflix是各种Netflix OSS组件集成。 VMware Spring Cloud Netflix 2.2.4之前的2.2.x版本、2.1.6之前的2.1.x版本及不在支持的老版本中存在安全漏洞，攻击者可利用该漏洞向其他服务器发送请求。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://tanzu.vmware.com/security/cve-2020-5412

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-5412

Impacted products

Name
['VMware Spring Cloud Netflix 2.2.，<2.2.4', 'VMware Spring Cloud Netflix 2.1.，<2.1.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5412"
    }
  },
  "description": "Spring Cloud Netflix\u662f\u5404\u79cdNetflix OSS\u7ec4\u4ef6\u96c6\u6210\u3002\n\nVMware Spring Cloud Netflix 2.2.4\u4e4b\u524d\u76842.2.x\u7248\u672c\u30012.1.6\u4e4b\u524d\u76842.1.x\u7248\u672c\u53ca\u4e0d\u5728\u652f\u6301\u7684\u8001\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5176\u4ed6\u670d\u52a1\u5668\u53d1\u9001\u8bf7\u6c42\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://tanzu.vmware.com/security/cve-2020-5412",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-39539",
  "openTime": "2021-06-04",
  "patchDescription": "Spring Cloud Netflix\u662f\u5404\u79cdNetflix OSS\u7ec4\u4ef6\u96c6\u6210\u3002\r\n\r\nVMware Spring Cloud Netflix 2.2.4\u4e4b\u524d\u76842.2.x\u7248\u672c\u30012.1.6\u4e4b\u524d\u76842.1.x\u7248\u672c\u53ca\u4e0d\u5728\u652f\u6301\u7684\u8001\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5176\u4ed6\u670d\u52a1\u5668\u53d1\u9001\u8bf7\u6c42\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "VMware Spring Cloud Netflix\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "VMware Spring Cloud Netflix 2.2.*\uff0c\u003c2.2.4",
      "VMware Spring Cloud Netflix 2.1.*\uff0c\u003c2.1.6"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-5412",
  "serverity": "\u4e2d",
  "submitTime": "2020-09-03",
  "title": "VMware Spring Cloud Netflix\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-5412 (GCVE-0-2020-5412)

Vulnerability from cvelistv5 – Published: 2020-08-07 20:45 – Updated: 2024-09-16 18:24

Summary

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Severity ?

No CVSS data available.

CWE

CWE-441 - Unintended Proxy or Intermediary

Assigner

pivotal

References

URL

Tags

https://tanzu.vmware.com/security/cve-2020-5412

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Spring by VMware	Spring Cloud Netflix	Affected: 2.2 , < 2.2.4 (custom) Affected: 2.1 , < 2.1.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:30:24.134Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2020-5412"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Cloud Netflix",
          "vendor": "Spring by VMware",
          "versions": [
            {
              "lessThan": "2.2.4",
              "status": "affected",
              "version": "2.2",
              "versionType": "custom"
            },
            {
              "lessThan": "2.1.6",
              "status": "affected",
              "version": "2.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-08-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-07T20:45:13",
        "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "shortName": "pivotal"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tanzu.vmware.com/security/cve-2020-5412"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pivotal.io",
          "DATE_PUBLIC": "2020-08-05T00:00:00.000Z",
          "ID": "CVE-2020-5412",
          "STATE": "PUBLIC",
          "TITLE": "Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Cloud Netflix",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.2",
                            "version_value": "2.2.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.1",
                            "version_value": "2.1.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring by VMware"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-441: Unintended Proxy or Intermediary"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tanzu.vmware.com/security/cve-2020-5412",
              "refsource": "CONFIRM",
              "url": "https://tanzu.vmware.com/security/cve-2020-5412"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
    "assignerShortName": "pivotal",
    "cveId": "CVE-2020-5412",
    "datePublished": "2020-08-07T20:45:13.154243Z",
    "dateReserved": "2020-01-03T00:00:00",
    "dateUpdated": "2024-09-16T18:24:52.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-39539

CVE-2020-5412 (GCVE-0-2020-5412)

Tags

Sightings

Nomenclature