216.73.217.80

CVE-2026-22739

· Published 24/03/2026 01:17 · Modified 24/03/2026 15:53

Labels: CVE-2026-22739 2026-03-24CVE-2026-22739CWE-22[email protected]

Essential information

Published
24/03/2026 01:17
Modified
24/03/2026 15:53
Author
Creator
CVSS
8.6 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS metrics

Description

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vmware / spring cloud cpe:2.3:a:vmware:spring_cloud:3.1.<13-*:*:*:*:*:*:*
vmware / spring cloud cpe:2.3:a:vmware:spring_cloud:4.1.<9:*:*:*:*:*:*
vmware / spring cloud cpe:2.3:a:vmware:spring_cloud:4.2.<3:*:*:*:*:*:*
vmware / spring cloud cpe:2.3:a:vmware:spring_cloud:4.3.<2:*:*:*:*:*:*
vmware / spring cloud cpe:2.3:a:vmware:spring_cloud:5.0.<2:*:*:*:*:*:*

References