CVE-2020-5412
published 2020-08-07CVE-2020-5412: Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix…
PriorityP276medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.21%
95.1th percentile
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring_by_vmware | spring_cloud_netflix | >= 2.1 < 2.1.6 | 2.1.6 |
| spring_by_vmware | spring_cloud_netflix | >= 2.2 < 2.2.4 | 2.2.4 |
| vmware | spring_cloud_netflix | < 2.1.6 | 2.1.6 |
| vmware | spring_cloud_netflix | >= 2.2.0 < 2.2.4 | 2.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://169.254.169.254/latest/metadata/
- →Send a GET request to /proxy.stream?origin= with an external callback URL; a successful SSRF is confirmed by an inbound HTTP interaction on the interactsh/OOB listener AND a response header containing the word 'Jelly' with HTTP 200.
- →For high-impact SSRF confirmation, redirect the origin parameter to the AWS EC2 instance metadata endpoint to attempt credential/metadata exfiltration.
- →The vulnerable parameter is 'origin' in the query string of the /proxy.stream endpoint; monitor for outbound requests originating from the dashboard host triggered by this parameter.
- ·Affected versions are Spring Cloud Netflix 2.2.x prior to 2.2.4 and 2.1.x prior to 2.1.6; older unsupported versions are also vulnerable. Patched versions (2.2.4+, 2.1.6+) are not affected. ↗
- ·Exploitation requires an authenticated (low-privilege) user; the CVSS vector indicates PR:L (privileges required: low), so unauthenticated scanning may produce false negatives.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
osv·2021-04-30
CVE-2020-5412 [MEDIUM] Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
GHSA
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
ghsa·2021-04-30
CVE-2020-5412 [MEDIUM] CWE-441 Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
VulnCheck
VMware Spring Framework Unintended Proxy or Intermediary ('Confused Deputy')
vulncheck·2020·CVSS 6.5
CVE-2020-5412 [MEDIUM] VMware Spring Framework Unintended Proxy or Intermediary ('Confused Deputy')
VMware Spring Framework Unintended Proxy or Intermediary ('Confused Deputy')
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
Affected: VMware Spring Framework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.sonicwall.com/resources/white-papers/2025-sonicwall-cyber-threat-report
No detection rules found.
Nuclei
Spring Cloud Netflix - Server-Side Request Forgery
nuclei·CVSS 6.5
CVE-2020-5412 [MEDIUM] Spring Cloud Netflix - Server-Side Request Forgery
Spring Cloud Netflix - Server-Side Request Forgery
Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2020-5412
info:
name: Spring Cloud Netflix - Server-Side Request Forgery
author: dwisiswant0
severity: medium
description: Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use
2020-08-07
Published
Exploited in the wild