CVE-2020-5405: Spring-cloud-config-server Path Traversal Vulerability Alert

On February 26, Spring officially released a vulnerability notice in Spring Cloud Config. Yiming Xiang security researchers from NSFOCUS discovered a path traversal vulnerability (CVE-2020-5405) in the spring-cloud-config-server component.

Attackers can use this vulnerability to traverse directories and read the contents of unauthorized files. “A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.” Users are requested to upgrade spring-cloud-config-server to a repaired version as soon as possible to prevent this vulnerability.

CVE-2019-3799

Affected version:

  • Spring Cloud Config 2.2.0 to 2.2.1
  • Spring Cloud Config 2.1.0 to 2.1.6

Unaffected version:

  • Spring Cloud Config 2.2.2
  • Spring Cloud Config 2.1.7

Solution

Pivotal has fixed the vulnerability in the latest Spring Cloud Config version, affected users upgrade the version as soon as possible. Developers can upgrade the application and compile and publish it by configuring Maven.