Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-3799.json"
[
{
"signature_type": "Line",
"deprecated": false,
"source": "https://github.com/spring-cloud/spring-cloud-config/commit/2fcda6e1cb3d59e9e4accf92de1401d6c32092de",
"id": "CVE-2019-3799-0636d904",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"94919465187543866970660553545285181372",
"68274752391660966962152554233441497566",
"193452037949087127198119754004826598971",
"166147205203648982418675755032725841562",
"275152148129752306237161848041872517300",
"264217287882986353280194834284592748372",
"25244021440852412504933894519844512179",
"322096917969862465322643984486128749491",
"128680357418445237383179345481252631028",
"167726214489020897194106252811918622933",
"297308149182000668762319979272761800698",
"283963623881780530073181660326261980832",
"275730032358908697354549790090739710787",
"197463681772859408202623160137270127798",
"298479558906306396605450710318922137912",
"168429358341195919678594681729586394943",
"190248381295123808074338993970898165355",
"243239218514652414550734838758502337908",
"226401398484896276700615659631558598701",
"226969712610447052750936659983570408598",
"238771086858012736805693825792849873716",
"107634937280829966523683359414083711014",
"267921123114983007076650789287533637245",
"102715412356406950219770955940244365114",
"287490125321611852947951489243539965083",
"325380430615033688285015481369847096390",
"179479787210101047148126097551328974728",
"214907776460882731214202324498802655739",
"148191939425558738617431902452764072112",
"145852163909169864843084884897346843106",
"115986887373827876102682101560048162083",
"119258988697698457769296765622298402469",
"183325986263730029783145769233746546977"
]
},
"target": {
"file": "spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/resource/GenericResourceRepository.java"
}
},
{
"signature_type": "Line",
"deprecated": false,
"source": "https://github.com/spring-cloud/spring-cloud-config/commit/2fcda6e1cb3d59e9e4accf92de1401d6c32092de",
"id": "CVE-2019-3799-d17abe1a",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"243590834716320725105594350814500882154",
"269890579721546833819407202798994410207",
"194976620405423695720624834494797958197",
"202705256757408202299941250544196632952",
"282371284396453858276321070849083910540"
]
},
"target": {
"file": "spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/resource/GenericResourceRepositoryTests.java"
}
}
]