Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hhxh-qphc-v423: Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.

ghsa
Open in Source
#git#ssrf

Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery

Moderate severity GitHub Reviewed Published Sep 25, 2022 • Updated Sep 28, 2022

Related news

Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs

Maintainer of Chinese project closes public issue apparently without issuing a fix

CVE-2022-23464: GHSL-2022-033_GHSL-2022-034: SpEL Injection in Nepxion/Discovery - CVE-2022-23463, CVE-2022-23464

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa