Lucene search

K
githubGitHub Advisory DatabaseGHSA-HHXH-QPHC-V423
HistorySep 25, 2022 - 12:00 a.m.

Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery

2022-09-2500:00:15
CWE-918
GitHub Advisory Database
github.com
10
nepxion discovery
spring cloud
server-side request forgery
information disclosure
routerresourceimpl

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

58.7%

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.

Affected configurations

Vulners
Node
com.nepxiondiscoveryRange6.16.2
VendorProductVersionCPE
com.nepxiondiscovery*cpe:2.3:a:com.nepxion:discovery:*:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

58.7%

Related for GHSA-HHXH-QPHC-V423