CVE-2021-22053: Improper Control of Generation of Code ('Code Injection')

November 23, 2021

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

References

github.com/advisories/GHSA-gx3f-hq7p-8fxv
nvd.nist.gov/vuln/detail/CVE-2021-22053
tanzu.vmware.com/security/cve-2021-22053

Detect and mitigate CVE-2021-22053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →