Main Vulnerability Database Vulnerabilities #VU30340

Path traversal in Spring Cloud Config - CVE-2020-5405

Published: March 5, 2020 / Updated: September 1, 2020

Vulnerability identifier: #VU30340

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-5405

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Pivotal

Affected software:
Spring Cloud Config

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

How to mitigate CVE-2020-5405

Install update from vendor's website.

Sources

https://pivotal.io/security/cve-2020-5405

Path traversal in Spring Cloud Config - CVE-2020-5405

Detailed vulnerability description

How to mitigate CVE-2020-5405

Sources

Please verify you're human