WEB Spring Cloud Netflix Hystrix Dashboard Template Remote Code Execution (CVE-2021-22053)

Rule ID

1232036

Severity

High

Description

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Impact

Remote code execution

Recommendation

Update vendor's patch.

IPS Category

Buffer Overflow

IPS Anomaly Group

N/A

IPS Rule Default Action

Deny

Reference

Keyword

N/A

Created At

2022/12/29

Updated At

2022/12/29

This website uses cookies to ensure you get the best experience on our website.

Learn more