CVE-2024-22236
First published: Wed Jan 31 2024(Updated: )
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework.cloud:spring-cloud-contract-shade | >=3.1.0<3.1.10 | 3.1.10 |
| maven/org.springframework.cloud:spring-cloud-contract-shade | >=4.0.0<4.0.5 | 4.0.5 |
| maven/org.springframework.cloud:spring-cloud-contract-shade | =4.1.0 | 4.1.1 |
| Vmware Spring Cloud Contract | >=3.1.0<3.1.10 | |
| Vmware Spring Cloud Contract | >=4.0.0<4.0.5 | |
| Vmware Spring Cloud Contract | =4.1.0 | |
| >=3.1.0<3.1.10 | ||
| >=4.0.0<4.0.5 | ||
| =4.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/mitre-cve
- source/MITRE
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p6rp-mx85-m459
- alias/CVE-2024-22236
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/severity
- agent/weakness
- agent/last-modified-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/epss-latest
- source/FIRST
- agent/tags
- agent/epss
- package-manager/maven
- vendor/vmware
- canonical/vmware spring cloud contract
- version/vmware spring cloud contract/3.1.0
- version/vmware spring cloud contract/4.0.0
- version/vmware spring cloud contract/4.1.0