GHSA-p6rp-mx85-m459

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6rp-mx85-m459
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-p6rp-mx85-m459/GHSA-p6rp-mx85-m459.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p6rp-mx85-m459
Aliases
Published
2024-01-31T09:30:18Z
Modified
2024-02-09T18:01:48.649635Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Spring Cloud Contract vulnerable to local information disclosure
Details

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

Database specific
{
    "nvd_published_at": "2024-01-31T07:15:07Z",
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T18:07:41Z"
}
References

Affected packages

Maven / org.springframework.cloud:spring-cloud-contract-shade

Package

Name
org.springframework.cloud:spring-cloud-contract-shade
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-contract-shade

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0
Fixed
4.1.1

Affected versions

4.*

4.1.0

Maven / org.springframework.cloud:spring-cloud-contract-shade

Package

Name
org.springframework.cloud:spring-cloud-contract-shade
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-contract-shade

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.5

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4

Maven / org.springframework.cloud:spring-cloud-contract-shade

Package

Name
org.springframework.cloud:spring-cloud-contract-shade
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.cloud/spring-cloud-contract-shade

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.10

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9