I. Overview

It has been disclosed recently that a Directory Traversal Vulnerability (CVE-2020-5410) exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and versions 2.1.x prior to 2.1.9, allowing attackers to send a request using a specially crafted URL that can lead to a directory traversal attack.

If you are a Spring Cloud Config user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website: https://tanzu.vmware.com/security/cve-2020-5410.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Spring Cloud Config 2.2.0 to 2.2.2

Spring Cloud Config 2.1.0 to 2.1.8

Secure Versions:

Spring Cloud Config 2.2.3

Spring Cloud Config 2.1.9↵

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official release. If your version falls into the affected range, upgrade it to the latest secure version.

Download link:

https://github.com/spring-cloud/spring-cloud-config/releases

Note that spring-cloud-config-server should only be available on internal networks to clients that require it, and Spring Security should be used for identity authentication.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.