CVE-2019-3799 – org.springframework.cloud:spring-cloud-config-server

Package

Manager: maven
Name: org.springframework.cloud:spring-cloud-config-server
Vulnerable Version: >=0 <1.4.6 || >=2.0.0 <2.0.4 || >=2.1.0 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.91318 pctl0.99644

Details

Path Traversal in Spring Cloud Config Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Metadata

Created: 2019-05-23T08:39:23Z
Modified: 2021-08-03T21:40:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-4x49-w62v-76q7/GHSA-4x49-w62v-76q7.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-4x49-w62v-76q7
Finding: F063
Auto approve: 1