On February 26, Spring officially released a vulnerability notice in Spring Cloud Config. Yiming Xiang security researchers from NSFOCUS discovered a path traversal vulnerability (CVE-2020-5405) in the spring-cloud-config-server component.
Attackers can use this vulnerability to traverse directories and read the contents of unauthorized files. “A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.” Users are requested to upgrade spring-cloud-config-server to a repaired version as soon as possible to prevent this vulnerability.
- Spring Cloud Config 2.2.0 to 2.2.1
- Spring Cloud Config 2.1.0 to 2.1.6
- Spring Cloud Config 2.2.2
- Spring Cloud Config 2.1.7
Pivotal has fixed the vulnerability in the latest Spring Cloud Config version, affected users upgrade the version as soon as possible. Developers can upgrade the application and compile and publish it by configuring Maven.