Skip to content

Commit e569718

Browse files
Merge pull request #7647 from github/scottfrederick-GHSA-6g23-24mc-hx6x
2 parents d638fb4 + 09bd57b commit e569718

1 file changed

Lines changed: 21 additions & 2 deletions

File tree

advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-6g23-24mc-hx6x",
4-
"modified": "2026-05-11T16:19:13Z",
4+
"modified": "2026-05-11T16:19:14Z",
55
"published": "2026-05-07T06:31:41Z",
66
"aliases": [
77
"CVE-2026-40982"
88
],
99
"summary": "Spring Cloud Config vulnerable to Path Traversal",
10-
"details": "Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.\nSpring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.",
10+
"details": "Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.\n\n- Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available. \n- Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available. \n- Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available. \n- Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available. \n- Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. \n- Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -115,6 +115,25 @@
115115
"database_specific": {
116116
"last_known_affected_version_range": "<= 5.0.2"
117117
}
118+
},
119+
{
120+
"package": {
121+
"ecosystem": "Maven",
122+
"name": "org.springframework.cloud:spring-cloud-config-server"
123+
},
124+
"ranges": [
125+
{
126+
"type": "ECOSYSTEM",
127+
"events": [
128+
{
129+
"introduced": "3.0.0"
130+
},
131+
{
132+
"last_affected": "3.0.7"
133+
}
134+
]
135+
}
136+
]
118137
}
119138
],
120139
"references": [

0 commit comments

Comments
 (0)