CVE-2024-22236

Summary

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Cloud Contract4.1.0 < 4.1.1affected
SpringSpring Cloud Contract4.0.0 < 4.0.6affected
SpringSpring Cloud Contract3.1.0 < 3.1.10affected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References