Description
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.
Remediation
References
https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/
Related Vulnerabilities
CVE-2018-16493 Vulnerability in npm package static-resource-server
CVE-2018-1002202 Vulnerability in maven package net.lingala.zip4j:zip4j
CVE-2021-43306 Vulnerability in maven package org.webjars:jquery-validation
CVE-2020-12668 Vulnerability in maven package com.hubspot.jinjava:jinjava
CVE-2020-10758 Vulnerability in maven package org.keycloak:keycloak-wildfly-server-subsystem