CVE-2020-5410

2020-06-09T16:55:09
ID RH:CVE-2020-5410
Type redhatcve
Reporter redhat.com
Modified 2021-08-11T19:25:17

Description

A flaw was found in spring-cloud-config in versions prior to 2.1.9 and 2.2.3. Applications are allowed to serve arbitrary configuration files through the spring-cloud-config-server module allowing an attacker to send a request using a specially crafted URL to create a directory traversal attack. The highest threat from this vulnerability is to data confidentiality.

Mitigation

Users of vulnerable versions or older, unsupported versions of spring-cloud-config-server should upgrade to a patched version. Spring-cloud-config-server should only be accessible on internal networks.