Fei Lu

Name of the Vulnerable Software and Affected Versions: Spring Cloud Config versions 2.1.x prior to 2.1.9 Spring Cloud Config versions 2.2.x prior to 2.2.3 Spring Cloud Config older unsupported versions Description: The issue allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. This can enable a remote attacker to access protected information using a specially formed HTTP request. Recommendations: For Spring Cloud Config versions 2.1.x prior to 2.1.9, update to version 2.1.9 or later. For Spring Cloud Config versions 2.2.x prior to 2.2.3, update to version 2.2.3 or later. For Spring Cloud Config older unsupported versions, consider upgrading to a supported version to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the spring-cloud-config-server module until a patch is available.