CVE-2020-5410 – org.springframework.cloud:spring-cloud-config-server

Package

Manager: maven
Name: org.springframework.cloud:spring-cloud-config-server
Vulnerable Version: >=2.1.0 <2.1.9 || >=2.2.0 <2.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.94346 pctl0.99953

Details

Directory traversal attack in Spring Cloud Config Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

Metadata

Created: 2020-06-05T16:13:20Z
Modified: 2022-09-21T19:31:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-32xf-jwmv-9hf3/GHSA-32xf-jwmv-9hf3.json
CWE IDs: ["CWE-22", "CWE-23"]
Alternative ID: GHSA-32xf-jwmv-9hf3
Finding: F063
Auto approve: 1