org.springframework.cloud:spring-cloud-config-server 2.2.6.RELEASE

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.cloud:spring-cloud-config-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the `EnvironmentController`, `ResourceController`, and `EncryptionController` request handlers in the config server web layer. An attacker can access unintended repository locations or trigger invalid environment lookups by supplying crafted `name`, `profile`, `label`, or `path` values such as encoded `../` sequences or leading-slash placeholders. This can expose configuration-backed resources and encryption endpoints to requests outside the intended app/profile namespace, breaking access to protected config data and causing request handling failures for affected users. Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support. How to fix Directory Traversal? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 4.3.3, 5.0.3 or higher.	[,4.3.3)[5.0.0-M1,5.0.3)
H Directory Traversal org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the `retrieve()` and `binary()` methods in `ResourceController`. An attacker can read resources outside the intended search location by supplying a crafted `label` value containing encoded path traversal sequences in a request for a config resource. This lets the attacker retrieve unintended files or configuration content from the server, exposing data that should not be served through the config endpoint. Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support. How to fix Directory Traversal? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 4.3.3, 5.0.3 or higher.	[,4.3.3)[5.0.0-M1,5.0.3)
M Insertion of Sensitive Information into Log File org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the `AwsCodeCommitCredentialProvider` class in the credential handling path. An attacker can recover the AWS access key and CodeCommit password by causing the provider to emit trace-level logs while it populates `CredentialItem` values. Those log messages expose secrets to anyone with access to application logs, allowing unauthorized use of the credentials and access to the associated CodeCommit resources. Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support. How to fix Insertion of Sensitive Information into Log File? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 4.3.3, 5.0.3 or higher.	[,4.3.3)[5.0.0-M1,5.0.3)
M Empty Password in Configuration File org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Empty Password in Configuration File through the `GoogleSecretManagerV1AccessStrategy` in the `org.springframework.cloud.config.server.environment.secretmanager` package. An attacker can load secrets from an arbitrary project by supplying an `X-Project-ID` header on a Config Client request, causing the server to query Secret Manager with that project ID and return GSM-backed property sources from the chosen project. When the server is deployed with Secret Manager credentials that can read multiple projects, this exposes secrets from projects the client should not be able to access and can leak application configuration and credentials. Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support. Workarounds Set `spring.cloud.config.server.gcp-secret-manager.token-mandatory=true` and keep it enabled so the server performs the `X-Config-Token` permission check before returning GSM-backed secrets, which prevents clients from loading secrets solely by steering `X-Project-ID`. How to fix Empty Password in Configuration File? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 4.3.3, 5.0.3 or higher.	[,4.3.3)[5.0.0-M1,5.0.3)
H Directory Traversal org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal through the profile substitution logic in `EnvironmentController`, `ResourceController`, and `AbstractScmAccessor`. An attacker can access files outside the configured search directories or trigger requests to attacker-controlled URLs by supplying crafted profile values in requests or template placeholders. Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support. How to fix Directory Traversal? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 4.3.2, 5.0.2 or higher.	[,4.3.2)[5.0.0-M1,5.0.2)
M Improper Authorization org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Improper Authorization due to not using the Vault token sent by clients using a `X-CONFIG-TOKEN` header when making requests to Vault. Note: This is only exploitable if all of the following conditions are met: You have Spring Vault on the classpath of your Spring Cloud Config Server; You are using the `X-CONFIG-TOKEN` header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault; You are using the default Spring Vault `SessionManager` implementation `LifecycleAwareSessionManager` or a `SessionManager` implementation that persists the Vault token such as `SimpleSessionManager`. How to fix Improper Authorization? Upgrade `org.springframework.cloud:spring-cloud-config-server` to version 3.1.10, 4.1.6, 4.2.2 or higher.	[2.2.0,3.1.10)[4.0.0,4.1.6)[4.2.0,4.2.2)

Vulnerability

Vulnerable Version

Directory Traversal

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Directory Traversal via the EnvironmentController, ResourceController, and EncryptionController request handlers in the config server web layer. An attacker can access unintended repository locations or trigger invalid environment lookups by supplying crafted name, profile, label, or path values such as encoded ../ sequences or leading-slash placeholders. This can expose configuration-backed resources and encryption endpoints to requests outside the intended app/profile namespace, breaking access to protected config data and causing request handling failures for affected users.

Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support.

How to fix Directory Traversal?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 4.3.3, 5.0.3 or higher.

[,4.3.3)[5.0.0-M1,5.0.3)

Directory Traversal

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Directory Traversal via the retrieve() and binary() methods in ResourceController. An attacker can read resources outside the intended search location by supplying a crafted label value containing encoded path traversal sequences in a request for a config resource. This lets the attacker retrieve unintended files or configuration content from the server, exposing data that should not be served through the config endpoint.

Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support.

How to fix Directory Traversal?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 4.3.3, 5.0.3 or higher.

[,4.3.3)[5.0.0-M1,5.0.3)

Insertion of Sensitive Information into Log File

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the AwsCodeCommitCredentialProvider class in the credential handling path. An attacker can recover the AWS access key and CodeCommit password by causing the provider to emit trace-level logs while it populates CredentialItem values. Those log messages expose secrets to anyone with access to application logs, allowing unauthorized use of the credentials and access to the associated CodeCommit resources.

Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support.

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 4.3.3, 5.0.3 or higher.

[,4.3.3)[5.0.0-M1,5.0.3)

Empty Password in Configuration File

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Empty Password in Configuration File through the GoogleSecretManagerV1AccessStrategy in the org.springframework.cloud.config.server.environment.secretmanager package. An attacker can load secrets from an arbitrary project by supplying an X-Project-ID header on a Config Client request, causing the server to query Secret Manager with that project ID and return GSM-backed property sources from the chosen project. When the server is deployed with Secret Manager credentials that can read multiple projects, this exposes secrets from projects the client should not be able to access and can leak application configuration and credentials.

Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support.

Workarounds

Set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true and keep it enabled so the server performs the X-Config-Token permission check before returning GSM-backed secrets, which prevents clients from loading secrets solely by steering X-Project-ID.

How to fix Empty Password in Configuration File?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 4.3.3, 5.0.3 or higher.

[,4.3.3)[5.0.0-M1,5.0.3)

Directory Traversal

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Directory Traversal through the profile substitution logic in EnvironmentController, ResourceController, and AbstractScmAccessor. An attacker can access files outside the configured search directories or trigger requests to attacker-controlled URLs by supplying crafted profile values in requests or template placeholders.

Note: Fixes for earlier branches including 4.2.x, 4.1.x and 3.1.x are available under enterprise support.

How to fix Directory Traversal?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 4.3.2, 5.0.2 or higher.

[,4.3.2)[5.0.0-M1,5.0.2)

Improper Authorization

org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration.

Affected versions of this package are vulnerable to Improper Authorization due to not using the Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault.

Note:

This is only exploitable if all of the following conditions are met:

You have Spring Vault on the classpath of your Spring Cloud Config Server;
You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault;
You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager.

How to fix Improper Authorization?

Upgrade org.springframework.cloud:spring-cloud-config-server to version 3.1.10, 4.1.6, 4.2.2 or higher.

[2.2.0,3.1.10)[4.0.0,4.1.6)[4.2.0,4.2.2)

org.springframework.cloud:spring-cloud-config-server@2.2.6.RELEASE

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically