关联漏洞
标题:VMware Spring Cloud Netflix 代码注入漏洞 (CVE-2021-22053)Description:Vmware VMware Spring Cloud Netflix是美国威睿(Vmware)公司的一个服务。通过自动配置和绑定到 Spring Environment 和其他 Spring 编程模型习语,为 Spring Boot 应用程序提供 Netflix OSS 集成。 VMware Spring Cloud Netflix 存在安全漏洞,该漏洞源于使用spring cloud netflix hystrix dashboard和spring boot starter thymeleaf的应用程序
Description
Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
文件快照
id: CVE-2021-22053
info:
name: Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execu
...
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。