Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Spring Cloud Contract by Spring
CVE-2024-22236 (GCVE-0-2024-22236)
Vulnerability from nvd – Published: 2024-01-31 06:54 – Updated: 2025-06-03 18:43
VLAI?
Summary
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Severity ?
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring Cloud Contract |
Affected:
4.1.0 , < 4.1.1
(4.1.1)
Affected: 4.0.0 , < 4.0.6 (4.0.6) Affected: 3.1.0 , < 3.1.10 (3.1.10) |
Date Public ?
2024-01-30 06:48
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:33.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://spring.io/security/cve-2024-22236"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:28:44.248302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377 Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T18:43:58.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Cloud Contract",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.1.1",
"status": "affected",
"version": "4.1.0",
"versionType": "4.1.1"
},
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "4.0.6"
},
{
"lessThan": "3.1.10",
"status": "affected",
"version": "3.1.0",
"versionType": "3.1.10"
}
]
}
],
"datePublic": "2024-01-30T06:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eIn Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded \u003cb\u003ecom.google.guava:guava\u003c/b\u003e\u0026nbsp;dependency in the \u003cb\u003eorg.springframework.cloud:spring-cloud-contract-shade\u003c/b\u003e\u0026nbsp;dependency.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava\u00a0dependency in the org.springframework.cloud:spring-cloud-contract-shade\u00a0dependency.\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T06:54:51.091Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2024-22236"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22236",
"datePublished": "2024-01-31T06:54:51.091Z",
"dateReserved": "2024-01-08T16:40:16.141Z",
"dateUpdated": "2025-06-03T18:43:58.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22236 (GCVE-0-2024-22236)
Vulnerability from cvelistv5 – Published: 2024-01-31 06:54 – Updated: 2025-06-03 18:43
VLAI?
Summary
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Severity ?
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring Cloud Contract |
Affected:
4.1.0 , < 4.1.1
(4.1.1)
Affected: 4.0.0 , < 4.0.6 (4.0.6) Affected: 3.1.0 , < 3.1.10 (3.1.10) |
Date Public ?
2024-01-30 06:48
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:33.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://spring.io/security/cve-2024-22236"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:28:44.248302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377 Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T18:43:58.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Cloud Contract",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.1.1",
"status": "affected",
"version": "4.1.0",
"versionType": "4.1.1"
},
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "4.0.6"
},
{
"lessThan": "3.1.10",
"status": "affected",
"version": "3.1.0",
"versionType": "3.1.10"
}
]
}
],
"datePublic": "2024-01-30T06:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eIn Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded \u003cb\u003ecom.google.guava:guava\u003c/b\u003e\u0026nbsp;dependency in the \u003cb\u003eorg.springframework.cloud:spring-cloud-contract-shade\u003c/b\u003e\u0026nbsp;dependency.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava\u00a0dependency in the org.springframework.cloud:spring-cloud-contract-shade\u00a0dependency.\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T06:54:51.091Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2024-22236"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22236",
"datePublished": "2024-01-31T06:54:51.091Z",
"dateReserved": "2024-01-08T16:40:16.141Z",
"dateUpdated": "2025-06-03T18:43:58.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}