PT-2020-18461 · Spring · Spring Cloud Config

Yiming Xiang

Published

2020-03-05

Updated

2020-06-05

CVE-2020-5405

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Spring Cloud Config versions 2.2.x prior to 2.2.2 Spring Cloud Config versions 2.1.x prior to 2.1.7 Spring Cloud Config older unsupported versions

Description The issue allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.

Recommendations For Spring Cloud Config versions 2.2.x prior to 2.2.2, update to version 2.2.2 or later. For Spring Cloud Config versions 2.1.x prior to 2.1.7, update to version 2.1.7 or later. For Spring Cloud Config older unsupported versions, consider upgrading to a supported version to mitigate the risk.

Fix

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-22

Related Identifiers

CVE-2020-5405

GHSA-G86W-V5VG-9GXF

Affected Products

Spring Cloud Config

PT-2020-18461 · Spring · Spring Cloud Config

CVE-2020-5405

Weakness Enumeration

Related Identifiers

Affected Products

References · 6