CVE-2020-5412

Name of the Vulnerable Software and Affected Versions Spring Cloud Netflix versions 2.2.x prior to 2.2.4 Spring Cloud Netflix versions 2.1.x prior to 2.1.6 Spring Cloud Netflix older unsupported versions

Description The issue allows applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user can send a request to other servers that should not be exposed publicly. The endpoint /proxy.stream can be exploited by sending a request with a specially crafted origin parameter, such as http://169.254.169.254/latest/metadata/.

Recommendations For Spring Cloud Netflix versions 2.2.x prior to 2.2.4, update to version 2.2.4 or later. For Spring Cloud Netflix versions 2.1.x prior to 2.1.6, update to version 2.1.6 or later. For Spring Cloud Netflix older unsupported versions, consider upgrading to a supported version and then applying the necessary update. As a temporary workaround, consider restricting access to the proxy.stream endpoint to minimize the risk of exploitation. Avoid using the origin parameter in the affected API endpoint until the issue is resolved.