Service Notices
Directory Traversal Vulnerability of Spring Cloud Config Server (CVE-2020-5410)
Jun 03, 2020 GMT+08:00
I. Overview
It has been disclosed recently that a Directory Traversal Vulnerability (CVE-2020-5410) exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and versions 2.1.x prior to 2.1.9, allowing attackers to send a request using a specially crafted URL that can lead to a directory traversal attack.
If you are a Spring Cloud Config user, check your versions and implement timely security hardening.
For more information about this vulnerability, visit the following website: https://tanzu.vmware.com/security/cve-2020-5410.
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected Versions:
Spring Cloud Config 2.2.0 to 2.2.2
Spring Cloud Config 2.1.0 to 2.1.8
Secure Versions:
Spring Cloud Config 2.2.3
Spring Cloud Config 2.1.9↵
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official release. If your version falls into the affected range, upgrade it to the latest secure version.
Download link:
https://github.com/spring-cloud/spring-cloud-config/releases
Note that spring-cloud-config-server should only be available on internal networks to clients that require it, and Spring Security should be used for identity authentication.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.