Main Vulnerability Database Vulnerabilities #VU30340

#VU30340 Path traversal in Spring Cloud Config - CVE-2020-5405

Published: March 5, 2020 / Updated: September 1, 2020

Vulnerability identifier: #VU30340

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-5405

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Spring Cloud Config

Software vendor:
Pivotal

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Remediation

Install update from vendor's website.

External links

https://pivotal.io/security/cve-2020-5405

#VU30340 Path traversal in Spring Cloud Config - CVE-2020-5405

Description

Remediation

External links

Please verify you're human