CVE-2019-3799
Path Traversal in Spring Cloud Config
6.5
MEDIUM
CVSS 3.1
EPSS 91.4%
Description
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
How to fix CVE-2019-3799
To remediate CVE-2019-3799, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.6 or later
Is CVE-2019-3799 being exploited?
Likely — EPSS is 91.4%, placing CVE-2019-3799 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 1.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |