Local Information Disclosure in Spring Cloud Contract by Spring
CVE-2024-22236

5.5MEDIUM

Key Information:

Vendor: Spring
Status: Spring Cloud Contract
Vendor: CVE Published:; 31 January 2024

What is CVE-2024-22236?

Versions of Spring Cloud Contract prior to 4.1.1, 4.0.5, and 3.1.10 are impacted by a vulnerability that allows local information disclosure. This occurs due to the temporary directory created with unsafe permissions, which is influenced by the shaded com.google.guava:guava dependency within the org.springframework.cloud:spring-cloud-contract-shade artifact. Attackers could exploit this issue to access sensitive information residing in these directories, highlighting the importance of promptly upgrading to patched versions.

Affected Version(s)

Spring Cloud Contract 4.1.0 < 4.1.1

Spring Cloud Contract 4.0.0 < 4.0.6

Spring Cloud Contract 3.1.0 < 3.1.10

References

https://spring.io/security/cve-2024-22236

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2024
Vulnerability Reserved
Jan 8, 2024