Maven package
org.springframework.cloud/spring-cloud-config-server
pkg:maven/org.springframework.cloud/spring-cloud-config-server
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41004 | Med | 4.4 | >= 3.1.0, <= 3.1.13 | — | May 7, 2026 | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affe | |
| CVE-2026-41002 | Hig | 7.2 | >= 3.1.0, <= 3.1.13 | — | May 7, 2026 | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3. | |
| CVE-2026-40982 | Cri | 9.1 | >= 3.1.0, <= 3.1.13 | — | May 7, 2026 | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x | |
| CVE-2026-22739 | — | >= 4.3.0, < 4.3.2 | 4.3.2 | Mar 24, 2026 | Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects S | ||
| CVE-2020-5410 | — | KEV | >= 2.1.0, < 2.1.9 | 2.1.9 | Jun 2, 2020 | Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe | |
| CVE-2020-5405 | — | >= 2.1.0, < 2.1.7 | 2.1.7 | Mar 5, 2020 | Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe | ||
| CVE-2019-3799 | — | < 1.4.6 | 1.4.6 | May 6, 2019 | Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attac |
- affected >= 3.1.0, <= 3.1.13
When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affe
- affected >= 3.1.0, <= 3.1.13
The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.
- affected >= 3.1.0, <= 3.1.13
Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x
- CVE-2026-22739Mar 24, 2026affected >= 4.3.0, < 4.3.2fixed 4.3.2
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects S
- affected >= 2.1.0, < 2.1.9fixed 2.1.9
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe
- CVE-2020-5405Mar 5, 2020affected >= 2.1.0, < 2.1.7fixed 2.1.7
Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe
- CVE-2019-3799May 6, 2019affected < 1.4.6fixed 1.4.6
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attac