CVE-2021-22053
Description
Applications using both spring-cloud-netflix-hystrix-dashboard
and spring-boot-starter-thymeleaf
expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data]
, the path elements following hystrix/monitor
are being evaluated as SpringEL expressions, which can lead to code execution.
NVD
Severity: HIGH
CVE ID: CVE-2021-22053
CVSS Score: 8.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2021-22053
Refrence: Project Discovery GitHub
SecCoder-Security-Lab
Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053
Refrence: GitHub
Vulnmachines
CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability
Refrence: GitHub