CVE-2021-22053

State: PUBLISHED · Published: 2021-11-19 · Updated: 2024-08-03 · Assigner: vmware

Description

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

CWE

CWE-94 — CWE-94: Improper Control of Generation of Code ('Code Injection')

Affected

n/a / Spring Cloud Netflix — v=Spring Cloud Netflix versions 2.2.x prior to 2.2.10.Release + and old unsupported versions [affected]

CVSS

(none)

References

https://tanzu.vmware.com/security/cve-2021-22053 x_refsource_MISC

Source

cvelistV5-main/cves/2021/22xxx/CVE-2021-22053.json