Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNnJwLW14ODUtbTQ1Oc4AA49f
Spring Cloud Contract vulnerable to local information disclosure
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Permalink: https://github.com/advisories/GHSA-p6rp-mx85-m459JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNnJwLW14ODUtbTQ1Oc4AA49f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-p6rp-mx85-m459, CVE-2024-22236
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-22236
- https://spring.io/security/cve-2024-22236
- https://github.com/advisories/GHSA-p6rp-mx85-m459
Affected Packages
maven:org.springframework.cloud:spring-cloud-contract-shade
Dependent packages: 29Dependent repositories: 14
Downloads:
Affected Version Ranges: >= 3.1.0, < 3.1.10, >= 4.0.0, < 4.0.5, = 4.1.0
Fixed in: 3.1.10, 4.0.5, 4.1.1
All affected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0
All unaffected versions: 3.0.0, 3.0.1, 3.0.5, 3.0.6, 3.1.10, 4.0.5, 4.1.1, 4.1.2, 4.1.3, 4.1.4