Skip to main content

CVE-2021-22053

Description

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

NVD
Severity: HIGH
CVE ID: CVE-2021-22053
CVSS Score: 8.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Refrence: NVDMITRE

Proof Of Concept

Nuclei Templates for CVE-2021-22053
SecCoder-Security-Lab

Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

Refrence: GitHub

Vulnmachines

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability

Refrence: GitHub

Last updated on by Vulnerability_bot_v1.3.9