Advisory ID:

NFLX-2018-001

Advisory Title:

Unauthenticated Server-Side Request Forgery in Hystrix-Dashboard

Author:

Patrick Thomas / patrickt@netflix.com

Release Date:

2018-01-10

Application:

Hystrix (specifically hystrix-dashboard)

Release:

Hystrix-Dashboard, all versions

Source:

Former: https://github.com/Netflix/Hystrix/tree/master/hystrix-dashboard New: https://github.com/Netflix-Skunkworks/hystrix-dashboard

Severity:

Critical

Overview:

Hystrix includes an optional hystrix-dashboard component to provide a web dashboard of hystrix status. The dashboard is vulnerable to server-side request forgery in the proxy.stream and monitor.html endpoints. It is recommended that hystrix-dashboard not be used except behind authorization checks.

Patch:

Hystrix-dashboard is being moved from the main Netflix/Hystrix repository to the Netflix-Skunkworks organization to emphasize that it is an optional and unmaintained component.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nflx-2018-001.md

nflx-2018-001.md

Advisory ID:

Advisory Title:

Author:

Release Date:

Application:

Release:

Source:

Severity:

Overview:

Patch:

Files

nflx-2018-001.md

Latest commit

History

nflx-2018-001.md

File metadata and controls

Advisory ID:

Advisory Title:

Author:

Release Date:

Application:

Release:

Source:

Severity:

Overview:

Patch: