CVE-2020-5412— Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-5412
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未有动机的代理或中间人(混淆代理)
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Cloud Netflix 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vmware VMware Spring Cloud Netflix是美国威睿(Vmware)公司的一个服务。通过自动配置和绑定到 Spring Environment 和其他 Spring 编程模型习语,为 Spring Boot 应用程序提供 Netflix OSS 集成。 VMware Spring Cloud Netflix 2.2.4之前的2.2.x版本、2.1.6之前的2.1.x版本及不在支持的老版本中存在安全漏洞。攻击者可利用该漏洞向其他服务器(未向外部公开)发送请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring by VMware | Spring Cloud Netflix | 2.2 ~ 2.2.4 | - |
II. Public POCs for CVE-2020-5412
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-5412.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-5412
请登录查看更多情报信息。
- https://tanzu.vmware.com/security/cve-2020-5412x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2020-5412
IV. Related Vulnerabilities
Same vendor: Spring by VMware
- CVE-2020-5427
Possibility of SQL Injection in Spring Cloud Data Flow Task - CVE-2020-5428
Possibility of SQL Injection in Spring Cloud Task Execution - CVE-2020-5421
RFD Protection Bypass via jsessionid - CVE-2020-5413
Kryo Configuration Allows Code Execution with Unknown "Seria - CVE-2020-5411
Jackson Configuration Allows Code Execution with Unknown "Se
Same weakness: CWE-441
- CVE-2026-45182
GrapheneOS 20260504前IP泄露漏洞 - CVE-2026-41365
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API - CVE-2026-6993
go-kratos http.DefaultServeMux Fallback server.go NewServer - CVE-2026-39906
Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .N - CVE-2025-62718
Axios has a NO_PROXY Hostname Normalization Bypass that Lead
V. Comments for CVE-2020-5412
No comments yet