PT-2024-19288 · Google+1 · Guava+1
Michael Kimball
·
Published
2024-01-31
·
Updated
2024-02-09
·
CVE-2024-22236
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Cloud Contract versions 3.1.x prior to 3.1.10
Spring Cloud Contract versions 4.0.x prior to 4.0.5
Spring Cloud Contract versions 4.1.x prior to 4.1.1
Description
The issue concerns local information disclosure via a temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency. This affects test execution in the specified versions of Spring Cloud Contract.
Recommendations
For versions 3.1.x prior to 3.1.10, update to version 3.1.10 or later.
For versions 4.0.x prior to 4.0.5, update to version 4.0.5 or later.
For versions 4.1.x prior to 4.1.1, update to version 4.1.1 or later.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Guava
Spring Cloud Contract