Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-p6rp-mx85-m459: Spring Cloud Contract vulnerable to local information disclosure

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

ghsa
#google#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-22236

Spring Cloud Contract vulnerable to local information disclosure

Low severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database • Updated Jan 31, 2024

Package

maven org.springframework.cloud:spring-cloud-contract-shade (Maven)

Affected versions

= 4.1.0

>= 4.0.0, < 4.0.5

>= 3.1.0, < 3.1.10

Patched versions

4.1.1

4.0.5

3.1.10

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-22236
  • https://spring.io/security/cve-2024-22236

Published to the GitHub Advisory Database

Jan 31, 2024

Last updated

Jan 31, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames