VYPR

Maven package

org.springframework.cloud/spring-cloud-config-server

pkg:maven/org.springframework.cloud/spring-cloud-config-server

Vulnerabilities (7)

  • CVE-2026-41004MedMay 7, 2026
    affected >= 3.1.0, <= 3.1.13

    When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affe

  • CVE-2026-41002HigMay 7, 2026
    affected >= 3.1.0, <= 3.1.13

    The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.

  • CVE-2026-40982CriMay 7, 2026
    affected >= 3.1.0, <= 3.1.13

    Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x

  • CVE-2026-22739Mar 24, 2026
    affected >= 4.3.0, < 4.3.2fixed 4.3.2

    Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects S

  • CVE-2020-5410KEVJun 2, 2020
    affected >= 2.1.0, < 2.1.9fixed 2.1.9

    Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe

  • CVE-2020-5405Mar 5, 2020
    affected >= 2.1.0, < 2.1.7fixed 2.1.7

    Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a spe

  • CVE-2019-3799May 6, 2019
    affected < 1.4.6fixed 1.4.6

    Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attac