Spring Cloud Config provides server-side and client-side support for externalized configuration in a distributed system. With the Config Server, you have a central place to manage external properties for applications across all environments. The concepts on both client and server map identically to the Spring Environment and PropertySource abstractions, so they fit very well with Spring applications but can be used with any application running in any language.
When processing the directory traversal sequence through the Spring Cloud Config Server module, this vulnerability is caused due to incorrect input verification. A remote attacker can send any specially designed HTTP request that can cause any file to be read.
- Spring Cloud Config: 2.2.0 to 2.2.2
- Spring Cloud Config: 2.1.0 to 2.1.8
Upgrade to Spring Cloud Config to version 2.2.3 or 2.1.9, and place the Spring-Cloud-Config-Server service in the intranet, and use Spring Security for authentication