CVE-2024-22236

2024-01-3106:54:51

vmware

www.cve.org

spring cloud contract

information disclosure

local

temporary directory

permissions

guava dependency

cve-2024-22236

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

5.1%

JSON

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Spring Cloud Contract",
    "vendor": "Spring",
    "versions": [
      {
        "lessThan": "4.1.1",
        "status": "affected",
        "version": "4.1.0",
        "versionType": "4.1.1"
      },
      {
        "lessThan": "4.0.6",
        "status": "affected",
        "version": "4.0.0",
        "versionType": "4.0.6"
      },
      {
        "lessThan": "3.1.10",
        "status": "affected",
        "version": "3.1.0",
        "versionType": "3.1.10"
      }
    ]
  }
]