Moderate severityNVD Advisory· Published May 6, 2019· Updated Sep 17, 2024

Directory Traversal with spring-cloud-config-server

CVE-2019-3799

Description

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.cloud:spring-cloud-config-serverMaven	< 1.4.6	1.4.6
org.springframework.cloud:spring-cloud-config-serverMaven	>= 2.0.0, < 2.0.4	2.0.4
org.springframework.cloud:spring-cloud-config-serverMaven	>= 2.1.0, < 2.1.2	2.1.2

Affected products

Spring Projects/Spring Cloud Configv5
Range: 2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4x49-w62v-76q7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-3799ghsaADVISORY
pivotal.io/security/cve-2019-3799ghsax_refsource_CONFIRMWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.073
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000