CVE-2024-22236

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guavadependency in the org.springframework.cloud:spring-cloud-contract-shadedependency.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vmwareCNA
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
vmwarespring_cloud_contract
3.1.0 ≤
𝑥
< 3.1.10
vmwarespring_cloud_contract
4.0.0 ≤
𝑥
< 4.0.5
vmwarespring_cloud_contract
4.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://spring.io/security/cve-2024-22236
https://spring.io/security/cve-2024-22236