Description
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Remediation
References
https://pivotal.io/security/cve-2019-3799
https://www.oracle.com/security-alerts/cpuapr2022.html
Related Vulnerabilities
CVE-2021-22147 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2017-7678 Vulnerability in maven package org.apache.spark:spark-core_2.10
CVE-2021-37942 Vulnerability in maven package co.elastic.apm:elastic-apm-agent
CVE-2023-42794 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-28678 Vulnerability in maven package org.jenkins-ci.plugins:cppcheck