cbcvebase.
CVE-2020-5412
published 2020-08-07

CVE-2020-5412: Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix…

PriorityP276medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.21%
95.1th percentile
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.

Affected

4 ranges
VendorProductVersion rangeFixed in
spring_by_vmwarespring_cloud_netflix>= 2.1 < 2.1.62.1.6
spring_by_vmwarespring_cloud_netflix>= 2.2 < 2.2.42.2.4
vmwarespring_cloud_netflix< 2.1.62.1.6
vmwarespring_cloud_netflix>= 2.2.0 < 2.2.42.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/proxy.stream?origin=http://{{interactsh-url}}
path/proxy.stream
urlhttp://169.254.169.254/latest/metadata/
  • Send a GET request to /proxy.stream?origin= with an external callback URL; a successful SSRF is confirmed by an inbound HTTP interaction on the interactsh/OOB listener AND a response header containing the word 'Jelly' with HTTP 200.
  • For high-impact SSRF confirmation, redirect the origin parameter to the AWS EC2 instance metadata endpoint to attempt credential/metadata exfiltration.
  • The vulnerable parameter is 'origin' in the query string of the /proxy.stream endpoint; monitor for outbound requests originating from the dashboard host triggered by this parameter.
  • ·Affected versions are Spring Cloud Netflix 2.2.x prior to 2.2.4 and 2.1.x prior to 2.1.6; older unsupported versions are also vulnerable. Patched versions (2.2.4+, 2.1.6+) are not affected.
  • ·Exploitation requires an authenticated (low-privilege) user; the CVSS vector indicates PR:L (privileges required: low), so unauthenticated scanning may produce false negatives.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.