Lucene search

GoogleOSV:GHSA-P6RP-MX85-M459

HistoryJan 31, 2024 - 9:30 a.m.

Spring Cloud Contract vulnerable to local information disclosure

2024-01-3109:30:18

Google

osv.dev

spring cloud contract

vulnerable

information disclosure

temporary directory

unsafe permissions

guava dependency

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

Percentile

5.1%

JSON

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

References

github.com/spring-cloud/spring-cloud-contract

nvd.nist.gov/vuln/detail/CVE-2024-22236

spring.io/security/cve-2024-22236

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for OSV:GHSA-P6RP-MX85-M459