High severityCISA KEVNVD Advisory· Published Jun 2, 2020· Updated Oct 21, 2025

Directory Traversal with spring-cloud-config-server

CVE-2020-5410

Description

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.cloud:spring-cloud-config-serverMaven	>= 2.1.0, < 2.1.9	2.1.9
org.springframework.cloud:spring-cloud-config-serverMaven	>= 2.2.0, < 2.2.3	2.2.3

Affected products

Spring By VMware/Spring Cloud Configv5
Range: 2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-32xf-jwmv-9hf3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-5410ghsaADVISORY
tanzu.vmware.com/security/cve-2020-5410ghsax_refsource_CONFIRMWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000