CVE-2024-22236

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-22236

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22236.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-22236

Aliases

GHSA-p6rp-mx85-m459

Withdrawn

2024-09-03T04:41:29.414142Z

Published

2024-01-31T07:15:07Z

Modified

2024-09-03T04:39:11.064578Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

References

https://spring.io/security/cve-2024-22236

Affected packages

Git / github.com/spring-cloud/spring-cloud-contract

Affected ranges

Type: GIT
Repo: https://github.com/spring-cloud/spring-cloud-contract
Events: Introduced

7d387e2c47f478f9f82311daf1636094f21e156d

Fixed

b4bbeb5dc73b8a389c8af025fd050cf3d9a8766c

Affected versions

v3.*

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4