Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4NDktdzYydi03NnE3
Path Traversal in Spring Cloud Config
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Permalink: https://github.com/advisories/GHSA-4x49-w62v-76q7JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4NDktdzYydi03NnE3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Percentage: 0.02567
EPSS Percentile: 0.90501
Identifiers: GHSA-4x49-w62v-76q7, CVE-2019-3799
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3799
- https://github.com/mpgn/CVE-2019-3799
- https://pivotal.io/security/cve-2019-3799
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-4x49-w62v-76q7
Blast Radius: 27.2
Affected Packages
maven:org.springframework.cloud:spring-cloud-config-server
Dependent packages: 227Dependent repositories: 15,290
Downloads:
Affected Version Ranges: >= 2.1.0, < 2.1.2, >= 2.0.0, < 2.0.4, < 1.4.6
Fixed in: 2.1.2, 2.0.4, 1.4.6
All affected versions:
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.6, 3.0.7, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3