CVE-2024-22236

{"id": "CVE-2024-22236", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-01-31T07:15:07.697", "references": [{"url": "https://spring.io/security/cve-2024-22236", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}, {"url": "https://spring.io/security/cve-2024-22236", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-377"}]}], "descriptions": [{"lang": "en", "value": "In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava\u00a0dependency in the org.springframework.cloud:spring-cloud-contract-shade\u00a0dependency.\n\n\n\n\n\n"}, {"lang": "es", "value": "En Spring Cloud Contract, versiones 4.1.x anteriores a 4.1.1, versiones 4.0.x anteriores a 4.0.5 y versiones 3.1.x anteriores a 3.1.10, la ejecuci\u00f3n de prueba es vulnerable a la divulgaci\u00f3n de informaci\u00f3n local a trav\u00e9s de un directorio temporal creado con archivos no seguros. permisos a trav\u00e9s de la dependencia sombreada com.google.guava:guava en la dependencia org.springframework.cloud:spring-cloud-contract-shade ."}], "lastModified": "2025-06-03T19:15:37.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36CB4DBB-F5DB-4E5C-9D59-6499710BE4B4", "versionEndExcluding": "3.1.10", "versionStartIncluding": "3.1.0"}, {"criteria": "cpe:2.3:a:vmware:spring_cloud_contract:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7634805F-40C1-4BCA-A83F-AED0D141CAD9", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:vmware:spring_cloud_contract:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B852868-633D-4A85-A5A0-503C354F5D4A"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}