Hear from the Spring team this January at SpringOne. >

Spring Cloud Netflix version 2.2.10.RELEASE is now available

On behalf of the community, I am pleased to announce that Spring Cloud Netflix version 2.2.10.RELEASE has been released.

This is primarily a security release that fixes the CVE-2021-22053.

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf exposed a way to execute code submitted within the request URI path during the resolution of view templates. When a request was made at /hystrix/monitor;[user-provided-data], the path elements following hystrix/monitor were being evaluated as SpringEL expressions, which could lead to code execution.

This release fixes the issue.

comments powered by Disqus