Thu. Jun 4th, 2020

CVE-2019-3799: spring-cloud-config-server Directory Traversal Vulnerability Alert

1 min read

Recently, the Spring disclosed a directory traversal vulnerability in Spring Cloud Config (CVE-2019-3799) in the latest security update. The vulnerability is officially rated high and is a high-risk vulnerability. The nature of the vulnerability is to allow applications to obtain arbitrary configuration files through the spring-cloud-config-server module. Attackers can construct malicious URLs to exploit the directory traversal vulnerability.


Affected version

  • Spring Cloud Config 2.1.0 to 2.1.1
  • Spring Cloud Config 2.0.0 to 2.0.3
  • Spring Cloud Config 1.4.0 to 1.4.5
  • Older unsupported versions are also affected

Unaffected version

  • Spring Cloud Config 2.1.2
  • Spring Cloud Config 2.0.4
  • Spring Cloud Config 1.4.6


The latest version of Spring has fixed the Spring Cloud Config directory traversal vulnerability. You can upgrade your Spring Cloud Config to the unaffected version as soon as possible.