CVE-2019-3799: spring-cloud-config-server Directory Traversal Vulnerability Alert

Recently, the Spring disclosed a directory traversal vulnerability in Spring Cloud Config (CVE-2019-3799) in the latest security update. The vulnerability is officially rated high and is a high-risk vulnerability. The nature of the vulnerability is to allow applications to obtain arbitrary configuration files through the spring-cloud-config-server module. Attackers can construct malicious URLs to exploit the directory traversal vulnerability.

CVE-2019-3799

Affected version

  • Spring Cloud Config 2.1.0 to 2.1.1
  • Spring Cloud Config 2.0.0 to 2.0.3
  • Spring Cloud Config 1.4.0 to 1.4.5
  • Older unsupported versions are also affected

Unaffected version

  • Spring Cloud Config 2.1.2
  • Spring Cloud Config 2.0.4
  • Spring Cloud Config 1.4.6

Solution

The latest version of Spring has fixed the Spring Cloud Config directory traversal vulnerability. You can upgrade your Spring Cloud Config to the unaffected version as soon as possible.