Vern

**Name of the Vulnerable Software and Affected Versions** Spring Cloud Netflix versions 2.2.x prior to 2.2.4 Spring Cloud Netflix versions 2.1.x prior to 2.1.6 Spring Cloud Netflix older unsupported versions **Description** The issue allows applications to use the Hystrix Dashboard `proxy.stream` endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user can send a request to other servers that should not be exposed publicly. The endpoint `/proxy.stream` can be exploited by sending a request with a specially crafted `origin` parameter, such as `http://169.254.169.254/latest/metadata/`. **Recommendations** For Spring Cloud Netflix versions 2.2.x prior to 2.2.4, update to version 2.2.4 or later. For Spring Cloud Netflix versions 2.1.x prior to 2.1.6, update to version 2.1.6 or later. For Spring Cloud Netflix older unsupported versions, consider upgrading to a supported version and then applying the necessary update. As a temporary workaround, consider restricting access to the `proxy.stream` endpoint to minimize the risk of exploitation. Avoid using the `origin` parameter in the affected API endpoint until the issue is resolved.