GHSA-32xf-jwmv-9hf3

Suggest an improvement
Source
https://github.com/advisories/GHSA-32xf-jwmv-9hf3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-32xf-jwmv-9hf3/GHSA-32xf-jwmv-9hf3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-32xf-jwmv-9hf3
Aliases
Published
2020-06-05T16:13:20Z
Modified
2023-11-01T04:53:24.462767Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Directory traversal attack in Spring Cloud Config
Details

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

Database specific
{
    "nvd_published_at": "2020-06-02T17:15:00Z",
    "github_reviewed_at": "2020-06-04T19:07:50Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-23"
    ]
}
References

Affected packages

Maven / org.springframework.cloud:spring-cloud-config-server

Package

Name
org.springframework.cloud:spring-cloud-config-server
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.9

Affected versions

2.*

2.1.0.RELEASE
2.1.1.RELEASE
2.1.2.RELEASE
2.1.3.RELEASE
2.1.4.RELEASE
2.1.5.RELEASE
2.1.6.RELEASE
2.1.7.RELEASE
2.1.8.RELEASE

Maven / org.springframework.cloud:spring-cloud-config-server

Package

Name
org.springframework.cloud:spring-cloud-config-server
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.3

Affected versions

2.*

2.2.0.RELEASE
2.2.1.RELEASE
2.2.2.RELEASE