CVE-2024-22236

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
References
Link Resource
https://spring.io/security/cve-2024-22236 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:*:*:*:*:*:*:*

History

09 Feb 2024, 01:01

Type Values Removed Values Added
CPE cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*
CWE CWE-732
CVSS v2 : unknown
v3 : 3.3
v2 : unknown
v3 : 5.5
References () https://spring.io/security/cve-2024-22236 - () https://spring.io/security/cve-2024-22236 - Vendor Advisory
First Time Vmware
Vmware spring Cloud Contract

31 Jan 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-31 07:15

Updated : 2024-02-09 01:01


NVD link : CVE-2024-22236

Mitre link : CVE-2024-22236

CVE.ORG link : CVE-2024-22236


JSON object : View

Products Affected

vmware

  • spring_cloud_contract
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource