Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-22236

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

Published

2024-01-31T07:15:07.697

Last Modified

2025-06-03T19:15:37.390

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.3 (LOW)

Weaknesses

Type: Primary
CWE-732
Type: Secondary
CWE-377

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_cloud_contract	< 3.1.10	Yes
Application	vmware	spring_cloud_contract	< 4.0.5	Yes
Application	vmware	spring_cloud_contract	4.1.0	Yes

References

https://spring.io/security/cve-2024-22236 Vendor Advisory ([email protected])
https://spring.io/security/cve-2024-22236 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)