CVE-2024-22236

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-22236
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-22236.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-22236
Aliases
Published
2024-01-31T07:15:07Z
Modified
2024-10-12T11:18:46.356163Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

References

Affected packages

Git / github.com/spring-cloud/spring-cloud-contract

Affected ranges

Type
GIT
Repo
https://github.com/spring-cloud/spring-cloud-contract
Events

Affected versions

v3.*

v3.1.6
v3.1.7
v3.1.8
v3.1.9

v4.*

v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4