Bug 1845626 (CVE-2020-5410)

Summary: CVE-2020-5410 spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, chazlett, drieden, ggaughan, gmalinko, janstey, jochrist, jwon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-cloud-config 2.2.3, spring-cloud-config 2.1.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in spring-cloud-config in versions prior to 2.1.9 and 2.2.3. Applications are allowed to serve arbitrary configuration files through the spring-cloud-config-server module allowing an attacker to send a request using a specially crafted URL to create a directory traversal attack. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-11 19:28:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1845627    

Description Guilherme de Almeida Suckevicz 2020-06-09 16:52:53 UTC 
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

Reference:
https://tanzu.vmware.com/security/cve-2020-5410
Comment 4 Chess Hazlett 2020-06-11 18:12:28 UTC 
Mitigation:

Users of vulnerable versions or older, unsupported versions of spring-cloud-config-server should upgrade to a patched version. Spring-cloud-config-server should only be accessible on internal networks.
Comment 5 Jonathan Christison 2021-02-15 14:33:36 UTC 
Marking Red Hat Fuse 7 as having a low impact, although customers may acquire the affected artifact via the offline manifest, Fuse does not distribute or use the affected artifact directly.
Comment 6 errata-xmlrpc 2021-08-11 18:23:14 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 7 Product Security DevOps Team 2021-08-11 19:28:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5410