Seal Security

CVE-2019-3799

Path Traversal in Spring Cloud Config

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

6.4

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Versions

org.springframework.cloud:spring-cloud-config-server < 1.4.6; org.springframework.cloud:spring-cloud-config-server >= 2.0.0 < 2.0.4; org.springframework.cloud:spring-cloud-config-server >= 2.1.0 < 2.1.2

Severity

Medium

Ecosystem

Publish Date

May 23, 2019

Modified Date

November 7, 2023