VulnerableCode Package Details - pkg:maven/org.springframework.cloud/spring-cloud-config-server@4.3.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1vzp-x3f4-aqay	When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	CVE-2026-40981 GHSA-2mh5-3cw6-hrrq
VCID-b548-vbfs-xugq	The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	CVE-2026-41002 GHSA-86wq-234q-r6wg
VCID-je53-ksaj-sqch	When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	CVE-2026-41004 GHSA-j6hh-h3cf-c2hf
VCID-zjpq-btz8-rkan	Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	CVE-2026-40982 GHSA-6g23-24mc-hx6x

Vulnerability

Summary

Aliases

VCID-1vzp-x3f4-aqay

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

CVE-2026-40981
GHSA-2mh5-3cw6-hrrq

VCID-b548-vbfs-xugq

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

CVE-2026-41002
GHSA-86wq-234q-r6wg

VCID-je53-ksaj-sqch

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

CVE-2026-41004
GHSA-j6hh-h3cf-c2hf

VCID-zjpq-btz8-rkan

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

CVE-2026-40982
GHSA-6g23-24mc-hx6x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:30:03.972327+00:00	GHSA Importer	Fixing	VCID-b548-vbfs-xugq	https://github.com/advisories/GHSA-86wq-234q-r6wg	38.6.0
2026-06-13T06:30:03.783073+00:00	GHSA Importer	Fixing	VCID-1vzp-x3f4-aqay	https://github.com/advisories/GHSA-2mh5-3cw6-hrrq	38.6.0
2026-06-13T06:30:03.630926+00:00	GHSA Importer	Fixing	VCID-je53-ksaj-sqch	https://github.com/advisories/GHSA-j6hh-h3cf-c2hf	38.6.0
2026-06-13T06:30:03.329240+00:00	GHSA Importer	Fixing	VCID-zjpq-btz8-rkan	https://github.com/advisories/GHSA-6g23-24mc-hx6x	38.6.0
2026-06-12T22:23:53.613604+00:00	GitLab Importer	Fixing	VCID-zjpq-btz8-rkan	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-40982.yml	38.6.0
2026-06-12T22:23:52.790804+00:00	GitLab Importer	Fixing	VCID-b548-vbfs-xugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-41002.yml	38.6.0
2026-06-12T22:23:48.618805+00:00	GitLab Importer	Fixing	VCID-je53-ksaj-sqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-41004.yml	38.6.0
2026-06-12T22:23:29.895411+00:00	GitLab Importer	Fixing	VCID-1vzp-x3f4-aqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-40981.yml	38.6.0
2026-06-12T07:51:57.066553+00:00	GithubOSV Importer	Fixing	VCID-b548-vbfs-xugq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-86wq-234q-r6wg/GHSA-86wq-234q-r6wg.json	38.6.0
2026-06-12T07:51:56.220490+00:00	GithubOSV Importer	Fixing	VCID-1vzp-x3f4-aqay	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2mh5-3cw6-hrrq/GHSA-2mh5-3cw6-hrrq.json	38.6.0
2026-06-12T07:51:41.555471+00:00	GithubOSV Importer	Fixing	VCID-je53-ksaj-sqch	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j6hh-h3cf-c2hf/GHSA-j6hh-h3cf-c2hf.json	38.6.0
2026-06-12T07:51:36.657952+00:00	GithubOSV Importer	Fixing	VCID-zjpq-btz8-rkan	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json	38.6.0