Vulnerability Description
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Cloud Config | >= 1.4.0, < 1.4.6 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
Related Weaknesses (CWE)
References
- https://pivotal.io/security/cve-2019-3799Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://pivotal.io/security/cve-2019-3799Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-3799?
CVE-2019-3799 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration...
How severe is CVE-2019-3799?
CVE-2019-3799 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3799?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Cloud Config, Oracle Communications Cloud Native Core Policy.