Spring Cloud Config Server – CVE-2020-5410

Description

Cytrix has detected that the Version of Spring Cloud Config Server being used is vulnerable to Directory Traversal.
The current and older unsupported versions could allow applications to serve arbitrary configuration files via the ‘spring-cloud-config-server’ module.

CVE-2020-5410 is categorized as a ‘Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)’ vulnerability (CWE-22).
These Vulnerabilities occur when the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.
But in fact, the software does not properly neutralize special elements within the pathname that can cause it to resolve to a location that is outside of the restricted directory.

Attackers could abuse this to send a request using a specific crafted URL that can lead to Directory Traversal attacks against your assets.
That will assist attackers in obtaining sensitive information (Information Disclosure).

Recommendation

To fix CVE-2020-5410, upgrade the version of Spring Cloud Config Server being used to either 2.1.9 or 2.2.3.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5410

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/23.html

< Return to all Vulnerabilities

What is Kayran

Cytrix scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 30,000+ vulnerabilities.Cytrix’s mission is to make

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »