CVE-2019-3799: spring-cloud-config-server Directory Traversal Vulnerability Alert
Recently, the Spring disclosed a directory traversal vulnerability in Spring Cloud Config (CVE-2019-3799) in the latest security update. The vulnerability is officially rated high and is a high-risk vulnerability. The nature of the vulnerability is to allow applications to obtain arbitrary configuration files through the spring-cloud-config-server module. Attackers can construct malicious URLs to exploit the directory traversal vulnerability.
Affected version
- Spring Cloud Config 2.1.0 to 2.1.1
- Spring Cloud Config 2.0.0 to 2.0.3
- Spring Cloud Config 1.4.0 to 1.4.5
- Older unsupported versions are also affected
Unaffected version
- Spring Cloud Config 2.1.2
- Spring Cloud Config 2.0.4
- Spring Cloud Config 1.4.6
Solution
The latest version of Spring has fixed the Spring Cloud Config directory traversal vulnerability. You can upgrade your Spring Cloud Config to the unaffected version as soon as possible.