CVE-2019-3799

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-3799
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3799.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-3799
Aliases
Withdrawn
2024-05-15T05:31:34.773376Z
Published
2019-05-06T16:29:01Z
Modified
2023-11-29T07:30:55.967167Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

References

Affected packages

Git / github.com/spring-cloud/spring-cloud-config

Affected ranges

Type
GIT
Repo
https://github.com/spring-cloud/spring-cloud-config
Events
Introduced
db63853853de3f3f5ae3d438bb4c9496d55d4c55
Fixed
a196f98d174a458e61f83560cae075a0d6168c78
Introduced
f266d9581cf0dd6d0b2a509849231100d4eb7354
Introduced
e62e06c39a7c20af1202a6600e91fc6b50d6a181

Affected versions

v1.*

v1.3.4.RELEASE
v1.4.0.RELEASE
v1.4.1.RELEASE
v1.4.2.RELEASE
v1.4.3.RELEASE
v1.4.4.RELEASE
v1.4.5.RELEASE