Search criteria
12 vulnerabilities found for spring_cloud_config by vmware
FKIE_CVE-2023-20859
Vulnerability from fkie_nvd - Published: 2023-03-23 21:15 - Updated: 2024-11-21 07:41
Severity ?
Summary
In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
References
| URL | Tags | ||
|---|---|---|---|
| security@vmware.com | https://spring.io/security/cve-2023-20859 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://spring.io/security/cve-2023-20859 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_vault | * | |
| vmware | spring_cloud_vault | 4.0.0 | |
| vmware | spring_vault | * | |
| vmware | spring_vault | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27E7C265-DE73-4FE5-BAE9-D6FD0B838B90",
"versionEndIncluding": "3.1.6",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A42F633-1074-46A8-AB65-DF694B34F650",
"versionEndIncluding": "4.0.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_vault:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B545C7F6-40FB-4010-9146-1ED3FB861E79",
"versionEndIncluding": "3.1.2",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_vault:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DDBE7574-C6A7-4EE3-B7BE-5D867E1034BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_vault:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2216E96-8849-4F10-BB79-24BB6B5A1F15",
"versionEndExcluding": "2.3.3",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_vault:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87C49F06-1DF2-4BA5-89E4-1FD4ED9086FF",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token."
}
],
"id": "CVE-2023-20859",
"lastModified": "2024-11-21T07:41:42.577",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-23T21:15:19.680",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://spring.io/security/cve-2023-20859"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://spring.io/security/cve-2023-20859"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5410
Vulnerability from fkie_nvd - Published: 2020-06-02 17:15 - Updated: 2025-11-03 19:21
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_config | * |
{
"cisaActionDue": "2022-04-15",
"cisaExploitAdd": "2022-03-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "VMware Tanzu Spring Cloud Config Directory Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD89FB84-A583-4310-B217-43EFB4825969",
"versionEndExcluding": "2.1.9",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "286B290C-8CEA-4EE1-B899-ED799CFF2B44",
"versionEndExcluding": "2.2.3",
"versionStartIncluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack."
},
{
"lang": "es",
"value": "Spring Cloud Config, las versiones 2.2.x anteriores a 2.2.3, versiones 2.1.x anteriores a 2.1.9, y las versiones m\u00e1s antiguas no compatibles, permiten a las aplicaciones servir archivos de configuraci\u00f3n arbitrarios por medio del m\u00f3dulo spring Cloud-config-server. Un usuario malicioso, o un atacante, puede enviar una petici\u00f3n usando una URL especialmente dise\u00f1ada que puede conllevar a un ataque de salto de directorio."
}
],
"id": "CVE-2020-5410",
"lastModified": "2025-11-03T19:21:42.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2020-06-02T17:15:11.690",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5405
Vulnerability from fkie_nvd - Published: 2020-03-05 19:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
References
| URL | Tags | ||
|---|---|---|---|
| security@pivotal.io | https://pivotal.io/security/cve-2020-5405 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2020-5405 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_config | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C8E6F0B-784C-4485-9FDC-6B1DDB2DDA9F",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2418A83C-F975-467A-93DA-1E35B967E17C",
"versionEndExcluding": "2.2.2",
"versionStartIncluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
},
{
"lang": "es",
"value": "Spring Cloud Config, versiones 2.2.x anteriores a 2.2.2, versiones 2.1.x anteriores a 2.1.7 y versiones anteriores no compatibles, permite a unas aplicaciones servir archivos de configuraci\u00f3n arbitrarios por medio del m\u00f3dulo spring-cloud-config-server. Un usuario malicioso, o atacante, puede enviar una petici\u00f3n usando una URL especialmente dise\u00f1ada que puede conllevar a un ataque de salto de directorio."
}
],
"id": "CVE-2020-5405",
"lastModified": "2024-11-21T05:34:05.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-05T19:15:11.700",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2020-5405"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2020-5405"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-3799
Vulnerability from fkie_nvd - Published: 2019-05-06 16:29 - Updated: 2024-11-21 04:42
Severity ?
Summary
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
References
| URL | Tags | ||
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2019-3799 | Vendor Advisory | |
| security_alert@emc.com | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2019-3799 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_config | * | |
| vmware | spring_cloud_config | * | |
| oracle | communications_cloud_native_core_policy | 1.15.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A724E528-B720-439B-84A6-86A3E34D1CB2",
"versionEndExcluding": "1.4.6",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA89E863-F397-4359-8F46-1D8200415C94",
"versionEndExcluding": "2.0.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"matchCriteriaId": "579E4C4A-DDE1-43F8-BD16-16E583404148",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
},
{
"lang": "es",
"value": "Spring Cloud Config, versiones 2.1.x anteriores a 2.1.2, versiones 2.0.x anteriores a 2.0.4, versiones 1.4.x anteriores a 1.4.6, y versiones anteriores no compatibles, permiten que aplicaciones entreguen archivos de configuraci\u00f3n arbitrarios por medio del M\u00f3dulo spring-cloud-config-server. Un usuario malicioso, o un atacante, puede enviar una petici\u00f3n usando una URL especialmente creada que puede provocar un ataque transversal a un directorio."
}
],
"id": "CVE-2019-3799",
"lastModified": "2024-11-21T04:42:33.827",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-06T16:29:01.567",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3799"
},
{
"source": "security_alert@emc.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3799"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-20859 (GCVE-0-2023-20859)
Vulnerability from cvelistv5 – Published: 2023-03-23 00:00 – Updated: 2025-02-25 15:40
VLAI?
Summary
In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
Severity ?
No CVSS data available.
CWE
- Information disclosure vulnerability
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Vault, Spring Cloud Vault, Spring Cloud Config |
Affected:
Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:32.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://spring.io/security/cve-2023-20859"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T15:40:11.169973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:40:28.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Vault, Spring Cloud Vault, Spring Cloud Config",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T00:00:00.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2023-20859"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20859",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2022-11-01T00:00:00.000Z",
"dateUpdated": "2025-02-25T15:40:28.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5410 (GCVE-0-2020-5410)
Vulnerability from cvelistv5 – Published: 2020-06-02 16:50 – Updated: 2025-10-21 23:35
VLAI?
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring by VMware | Spring Cloud Config |
Affected:
2.1 , < 2.1.9
(custom)
Affected: 2.2 , < 2.2.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.192Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-5410",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:43:59.584737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:43.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00+00:00",
"value": "CVE-2020-5410 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring by VMware",
"versions": [
{
"lessThan": "2.1.9",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.2.3",
"status": "affected",
"version": "2.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-06-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-02T16:50:11.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-06-01T00:00:00.000Z",
"ID": "CVE-2020-5410",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.9"
},
{
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.3"
}
]
}
}
]
},
"vendor_name": "Spring by VMware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5410",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5410",
"datePublished": "2020-06-02T16:50:12.055Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:43.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5405 (GCVE-0-2020-5405)
Vulnerability from cvelistv5 – Published: 2020-03-05 19:00 – Updated: 2024-09-16 22:36
VLAI?
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring by VMware | Spring Cloud Config |
Affected:
2.2 , < 2.2.2
(custom)
Affected: 2.1 , < 2.1.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2020-5405"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring by VMware",
"versions": [
{
"lessThan": "2.2.2",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-05T19:00:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2020-5405"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-03-05T00:00:00.000Z",
"ID": "CVE-2020-5405",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.2"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.7"
}
]
}
}
]
},
"vendor_name": "Spring by VMware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2020-5405",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2020-5405"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5405",
"datePublished": "2020-03-05T19:00:19.429999Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T22:36:28.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3799 (GCVE-0-2019-3799)
Vulnerability from cvelistv5 – Published: 2019-05-06 15:21 – Updated: 2024-09-17 00:16
VLAI?
Summary
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring Cloud Config |
Affected:
2.0 , < v2.0.4.RELEASE
(custom)
Affected: 1.4 , < v1.4.6.RELEASE (custom) Affected: 2.1 , < v2.1.2.RELEASE (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring",
"versions": [
{
"lessThan": "v2.0.4.RELEASE",
"status": "affected",
"version": "2.0",
"versionType": "custom"
},
{
"lessThan": "v1.4.6.RELEASE",
"status": "affected",
"version": "1.4",
"versionType": "custom"
},
{
"lessThan": "v2.1.2.RELEASE",
"status": "affected",
"version": "2.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:20:44",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3799"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-04-17T00:00:00.000Z",
"ID": "CVE-2019-3799",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.0",
"version_value": "v2.0.4.RELEASE"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.4",
"version_value": "v1.4.6.RELEASE"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "v2.1.2.RELEASE"
}
]
}
}
]
},
"vendor_name": "Spring"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://pivotal.io/security/cve-2019-3799",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3799"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3799",
"datePublished": "2019-05-06T15:21:37.135488Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T00:16:21.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20859 (GCVE-0-2023-20859)
Vulnerability from nvd – Published: 2023-03-23 00:00 – Updated: 2025-02-25 15:40
VLAI?
Summary
In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
Severity ?
No CVSS data available.
CWE
- Information disclosure vulnerability
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Vault, Spring Cloud Vault, Spring Cloud Config |
Affected:
Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:32.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://spring.io/security/cve-2023-20859"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T15:40:11.169973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:40:28.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Vault, Spring Cloud Vault, Spring Cloud Config",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T00:00:00.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2023-20859"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20859",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2022-11-01T00:00:00.000Z",
"dateUpdated": "2025-02-25T15:40:28.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5410 (GCVE-0-2020-5410)
Vulnerability from nvd – Published: 2020-06-02 16:50 – Updated: 2025-10-21 23:35
VLAI?
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Severity ?
7.5 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring by VMware | Spring Cloud Config |
Affected:
2.1 , < 2.1.9
(custom)
Affected: 2.2 , < 2.2.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.192Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-5410",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:43:59.584737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:43.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00+00:00",
"value": "CVE-2020-5410 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring by VMware",
"versions": [
{
"lessThan": "2.1.9",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.2.3",
"status": "affected",
"version": "2.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-06-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-02T16:50:11.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-06-01T00:00:00.000Z",
"ID": "CVE-2020-5410",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.9"
},
{
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.3"
}
]
}
}
]
},
"vendor_name": "Spring by VMware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5410",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5410",
"datePublished": "2020-06-02T16:50:12.055Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:43.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5405 (GCVE-0-2020-5405)
Vulnerability from nvd – Published: 2020-03-05 19:00 – Updated: 2024-09-16 22:36
VLAI?
Summary
Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring by VMware | Spring Cloud Config |
Affected:
2.2 , < 2.2.2
(custom)
Affected: 2.1 , < 2.1.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2020-5405"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring by VMware",
"versions": [
{
"lessThan": "2.2.2",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-05T19:00:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2020-5405"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-03-05T00:00:00.000Z",
"ID": "CVE-2020-5405",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.2"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.7"
}
]
}
}
]
},
"vendor_name": "Spring by VMware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2020-5405",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2020-5405"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5405",
"datePublished": "2020-03-05T19:00:19.429999Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T22:36:28.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3799 (GCVE-0-2019-3799)
Vulnerability from nvd – Published: 2019-05-06 15:21 – Updated: 2024-09-17 00:16
VLAI?
Summary
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring Cloud Config |
Affected:
2.0 , < v2.0.4.RELEASE
(custom)
Affected: 1.4 , < v1.4.6.RELEASE (custom) Affected: 2.1 , < v2.1.2.RELEASE (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3799"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Config",
"vendor": "Spring",
"versions": [
{
"lessThan": "v2.0.4.RELEASE",
"status": "affected",
"version": "2.0",
"versionType": "custom"
},
{
"lessThan": "v1.4.6.RELEASE",
"status": "affected",
"version": "1.4",
"versionType": "custom"
},
{
"lessThan": "v2.1.2.RELEASE",
"status": "affected",
"version": "2.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:20:44",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3799"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Directory Traversal with spring-cloud-config-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-04-17T00:00:00.000Z",
"ID": "CVE-2019-3799",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal with spring-cloud-config-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Cloud Config",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.0",
"version_value": "v2.0.4.RELEASE"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.4",
"version_value": "v1.4.6.RELEASE"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "v2.1.2.RELEASE"
}
]
}
}
]
},
"vendor_name": "Spring"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://pivotal.io/security/cve-2019-3799",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3799"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3799",
"datePublished": "2019-05-06T15:21:37.135488Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T00:16:21.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}