GHSA-4x49-w62v-76q7

Suggest an improvement
Source
https://github.com/advisories/GHSA-4x49-w62v-76q7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-4x49-w62v-76q7/GHSA-4x49-w62v-76q7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4x49-w62v-76q7
Aliases
Published
2019-05-23T08:39:23Z
Modified
2023-11-01T04:50:56.918507Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Path Traversal in Spring Cloud Config
Details

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Database specific
{
    "nvd_published_at": "2019-05-06T16:29:00Z",
    "github_reviewed_at": "2019-05-10T04:20:45Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / org.springframework.cloud:spring-cloud-config-server

Package

Name
org.springframework.cloud:spring-cloud-config-server
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.6

Affected versions

1.*

1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.0.3.RELEASE
1.0.4.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.1.3.RELEASE
1.2.0.M1
1.2.0.RELEASE
1.2.1.RELEASE
1.2.2.RELEASE
1.2.3.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.4.4.RELEASE
1.4.5.RELEASE

Maven / org.springframework.cloud:spring-cloud-config-server

Package

Name
org.springframework.cloud:spring-cloud-config-server
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.4

Affected versions

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE

Maven / org.springframework.cloud:spring-cloud-config-server

Package

Name
org.springframework.cloud:spring-cloud-config-server
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.2

Affected versions

2.*

2.1.0.RELEASE
2.1.1.RELEASE