CVE-2024-22236
Spring Cloud Contract vulnerable to local information disclosure
3.3
LOW
CVSS 3.1
EPSS 0.10%
Description
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
How to fix CVE-2024-22236
To remediate CVE-2024-22236, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.1 or later
Is CVE-2024-22236 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.1.0, < 4.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |