Spring Cloud Config Security Vulnerabilities and Issues — Spring Cloud Config CVE List

VmwareSpring Cloud Config

8 matches found

CVE•added 2020/06/02 4:50 p.m.•1084 views

CVE-2020-5410

CVE-2020-5410 affects VMware/Tanzu Spring Cloud Config Server. Versions 2.2.x before 2.2.3 and 2.1.x before 2.1.9 (and older unsupported) are vulnerable to a directory-traversal where a crafted URL can cause the server to serve arbitrary configuration files. Root cause: inadequate validation in t...

7.5CVSS7.5AI score0.95586EPSS

In wild

CVE•added 2023/03/23 12:0 a.m.•449 views

CVE-2023-20859

CVE-2023-20859 affects Spring Vault: 3.0.x prior to 3.0.2 and 2.3.x prior to 2.3.3 (and older versions). The issue allows insertion of sensitive information into log files when revoking a Vault batch token, potentially exposing confidential data on local systems. The NVD metrics show a Local, Low...

5.5CVSS5.1AI score0.00223EPSS

CVE•added 2019/05/06 3:21 p.m.•173 views

CVE-2019-3799

The CVE-2019-3799 entries describe a Local File Inclusion/Directory Traversal vulnerability in Spring Cloud Config Server. Affected versions are Spring Cloud Config Server 2.1.x before 2.1.2, 2.0.x before 2.0.4, and 1.4.x before 1.4.6, plus older unsupported releases. An unauthenticated attacker ...

6.5CVSS6.3AI score0.85295EPSS

CVE•added 2020/03/05 7:0 p.m.•167 views

CVE-2020-5405

Spring Cloud Config - Local File Inclusion (CVE-2020-5405): Affects Spring Cloud Config Server in 2.2.x before 2.2.2 and 2.1.x before 2.1.7 (older/unsupported). Exploitable via a crafted URL to serve arbitrary configuration files, enabling potential data exposure. Remediation: upgrade to patched ...

6.5CVSS6.7AI score0.68542EPSS

CVE•added 2026/05/07 3:49 a.m.•20 views

CVE-2026-40982

Spring Cloud Config server (spring-cloud-config-server) is vulnerable to a directory-traversal issue that allows serving arbitrary text and binary files via crafted URLs. Affected versions: Spring Cloud Config 3.1.x (3.1.0–3.1.13); upgrade to 3.1.14+. 4.1.x (4.1.0–4.1.9); upgrade to 4.1.10+. 4.2....

9.1CVSS5.9AI score0.00793EPSS

CVE•added 2026/05/07 3:55 a.m.•18 views

CVE-2026-40981

CVE-2026-40981 : In Spring Cloud Config Server using Google Secrets Manager as a backend, a crafted request can expose secrets from unintended GCP projects. Affected versions and upgrades: 3.1.x: 3.1.0–3.1.13 → upgrade to 3.1.14+ 4.1.x: 4.1.0–4.1.9 → upgrade to 4.1.10+ 4.2.x: 4.2.0–4.2.6 → upgrad...

7.5CVSS5.8AI score0.0038EPSS

CVE•added 2026/05/07 3:53 a.m.•17 views

CVE-2026-41002

CVE-2026-41002 affects Spring Cloud Config Server where the base directory used to clone Git repositories (spring.cloud.config.server.git.basedir) is vulnerable to time-of-check-time-of-use (TOCTOU) issues. Affected ranges and upgrades: Spring Cloud Config 3.1.x: 3.1.0–3.1.13 → upgrade to 3.1.14+...

8.1CVSS5.8AI score0.0022EPSS

CVE•added 2026/05/07 3:51 a.m.•16 views

CVE-2026-41004

The CVE-2026-41004 affects Spring Cloud Config Server when trace logging is enabled, exposing sensitive information in plain text in logs. All affected branches and versions include: Spring Cloud Config 3.1.x (3.1.0–3.1.13) with upgrade to 3.1.14+; 4.1.x (4.1.0–4.1.9) upgrade to 4.1.10+; 4.2.x (4...

4.4CVSS5.8AI score0.00168EPSS