CVE-2019-3799

MEDIUM NUCLEI

Spring Cloud Config < 1.4.6 - Path Traversal via Crafted URL

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2019-3799. PoCs published by Dhiraj Mishra, mpgn, Corgizz, including Metasploit module auxiliary/scanner/http/springcloud_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated directory traversal vulnerability in Spring Cloud Config Server by crafting a malicious URI to read arbitrary files from the server. It sends a GET request with a traversal payload to retrieve the specified file.

Description

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Exploits (4)

exploitdb WORKING POC
by Dhiraj Mishra · rubywebappsjava
https://www.exploit-db.com/exploits/46772

This Metasploit module exploits an unauthenticated directory traversal vulnerability in Spring Cloud Config Server by crafting a malicious URI to read arbitrary files from the server. It sends a GET request with a traversal payload to retrieve the specified file.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, and 1.4.x prior to 1.4.6
No auth needed
Prerequisites: Network access to the target server · Spring Cloud Config Server running on default or specified port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 31 stars
by mpgn · poc
https://github.com/mpgn/CVE-2019-3799

This repository contains a working proof-of-concept for CVE-2019-3799, a directory traversal vulnerability in Spring Cloud Config Server versions prior to 2.1.2, 2.0.4, and 1.4.6. The exploit demonstrates how a malicious user can access arbitrary files on the server by crafting a URL with encoded path traversal sequences.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Config Server < 2.1.2, 2.0.4, 1.4.6
No auth needed
Prerequisites: A vulnerable version of Spring Cloud Config Server running and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Vern, Dhiraj Mishra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/springcloud_traversal.rb

This Metasploit module exploits an unauthenticated directory traversal vulnerability in Spring Cloud Config Server (CVE-2019-3799) by crafting a malicious URI to read arbitrary files from the server. It sends a GET request with a traversal payload to retrieve files like /etc/passwd.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, and 1.4.x prior to 1.4.6
No auth needed
Prerequisites: Network access to the target server on port 8888
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Spring Cloud Config Server - Local File Inclusion
MEDIUMby madrobot

References (2)

Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2019-3799

Scores

CVSS v3 6.5
EPSS 0.8966
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (3)
oracle/communications_cloud_native_core_policy 1.15.0
org.springframework.cloud/spring-cloud-config-server 0 - 1.4.6Maven
vmware/spring_cloud_config 1.4.0 - 1.4.6
Published May 06, 2019
Tracked Since Feb 18, 2026