In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
References
Link | Resource |
---|---|
https://spring.io/security/cve-2024-22236 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: vmware
Published: 2024-01-31T06:54:51.091Z
Updated: 2024-01-31T06:54:51.091Z
Reserved: 2024-01-08T16:40:16.141Z
Link: CVE-2024-22236
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-31T07:15:07.697
Modified: 2024-02-09T01:01:27.447
Link: CVE-2024-22236
JSON object: View
Redhat Information
No data.
CWE