On behalf of the community, I am pleased to announce that Spring Cloud Netflix version 2.2.10.RELEASE has been released.
This is primarily a security release that fixes the CVE-2021-22053.
Applications using both
spring-boot-starter-thymeleaf exposed a way to execute code submitted within the request URI path during the resolution of view templates. When a request was made at
/hystrix/monitor;[user-provided-data], the path elements following
hystrix/monitor were being evaluated as SpringEL expressions, which could lead to code execution.
This release fixes the issue.