CVE-2024-22236
EUVD-2024-039231.01.2024, 07:15
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| vmware | spring_cloud_contract | 3.1.0 ≤ 𝑥 < 3.1.10 |
| vmware | spring_cloud_contract | 4.0.0 ≤ 𝑥 < 4.0.5 |
| vmware | spring_cloud_contract | 4.1.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
- CWE-377 - Insecure Temporary FileCreating and using insecure temporary files can leave application and system data vulnerable to attack.