CVE-2024-22236

2024-01-3107:15:07

CWE-732

vmware

web.nvd.nist.gov

spring cloud contract

information disclosure

cve-2024-22236

security vulnerability

nvd

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

Percentile

5.1%

JSON

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

Affected configurations

Nvd

Node

vmwarespring_cloud_contractRange3.1.0–3.1.10

vmwarespring_cloud_contractRange4.0.0–4.0.5

vmwarespring_cloud_contractMatch4.1.0

VendorProductVersionCPE
vmwarespring_cloud_contract*cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*
vmwarespring_cloud_contract4.1.0cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	spring_cloud_contract	*	cpe:2.3:a:vmware:spring_cloud_contract::::::::
vmware	spring_cloud_contract	4.1.0	cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Spring Cloud Contract",
    "vendor": "Spring",
    "versions": [
      {
        "lessThan": "4.1.1",
        "status": "affected",
        "version": "4.1.0",
        "versionType": "4.1.1"
      },
      {
        "lessThan": "4.0.6",
        "status": "affected",
        "version": "4.0.0",
        "versionType": "4.0.6"
      },
      {
        "lessThan": "3.1.10",
        "status": "affected",
        "version": "3.1.0",
        "versionType": "3.1.10"
      }
    ]
  }
]