In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
References
Link | Resource |
---|---|
https://spring.io/security/cve-2024-22236 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
09 Feb 2024, 01:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:* |
|
CWE | CWE-732 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
References | () https://spring.io/security/cve-2024-22236 - Vendor Advisory | |
First Time |
Vmware
Vmware spring Cloud Contract |
31 Jan 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-31 07:15
Updated : 2024-02-09 01:01
NVD link : CVE-2024-22236
Mitre link : CVE-2024-22236
CVE.ORG link : CVE-2024-22236
JSON object : View
Products Affected
vmware
- spring_cloud_contract
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource