VMware offers training and certification to turbo-charge your progress.Learn more
Applications using both
spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at
/hystrix/monitor;[user-provided data], the path elements following
hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.
Users of affected versions should apply the following mitigation: Users should upgrade to 2.2.10.RELEASE+. No other steps are necessary. Releases that have fixed this issue include:
This vulnerability was identified and responsibly reported by threedr3am of SecCoder Security Lab ([email protected]).
The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.
To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.