Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zewj-zxba-5fd5
Vulnerability ID VCID-zewj-zxba-5fd5
Aliases CVE-2019-3799
GHSA-4x49-w62v-76q7
Summary Path Traversal in Spring Cloud Config
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3799.json
epss 0.89662 https://api.first.org/data/v1/epss?cve=CVE-2019-3799
epss 0.89662 https://api.first.org/data/v1/epss?cve=CVE-2019-3799
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4x49-w62v-76q7
cvssv3.1 6.5 https://github.com/mpgn/CVE-2019-3799
generic_textual MODERATE https://github.com/mpgn/CVE-2019-3799
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-3799
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-3799
cvssv3.1 6.5 https://pivotal.io/security/cve-2019-3799
generic_textual MODERATE https://pivotal.io/security/cve-2019-3799
cvssv3.1 6.5 https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpuapr2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3799.json
https://api.first.org/data/v1/epss?cve=CVE-2019-3799
1709202 https://bugzilla.redhat.com/show_bug.cgi?id=1709202
CVE-2019-3799 https://github.com/mpgn/CVE-2019-3799
CVE-2019-3799 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/46772.rb
CVE-2019-3799 https://nvd.nist.gov/vuln/detail/CVE-2019-3799
CVE-2019-3799 https://pivotal.io/security/cve-2019-3799
GHSA-4x49-w62v-76q7 https://github.com/advisories/GHSA-4x49-w62v-76q7
Data source Metasploit
Description This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring Cloud Config listens by default on port 8888.
Note 
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source publication date April 17, 2019
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/http/springcloud_traversal.rb
Data source Exploit-DB
Date added April 30, 2019
Description Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
Ransomware campaign use Unknown
Source publication date April 30, 2019
Exploit type webapps
Platform java
Source update date April 30, 2019
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3799.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/mpgn/CVE-2019-3799
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-3799
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://pivotal.io/security/cve-2019-3799
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99585
EPSS Score 0.89662
Published At June 14, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:25:16.655216+00:00 GHSA Importer Import https://github.com/advisories/GHSA-4x49-w62v-76q7 38.6.0