CVE-2024-22236

LOW

Spring Cloud Contract <4.1.1, <4.0.5, <3.1.10 - Info Disclosure

Title source: llm

Description

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

References (1)

[Vendor Advisory] https://spring.io/security/cve-2024-22236

Scores

CVSS v3 3.3

EPSS 0.0010

EPSS Percentile 26.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-377 CWE-732

Status published

Products (3)

org.springframework.cloud/spring-cloud-contract-shade 4.1.0 - 4.1.1Maven

vmware/spring_cloud_contract 4.1.0

vmware/spring_cloud_contract 3.1.0 - 3.1.10

Published Jan 31, 2024

Tracked Since Feb 18, 2026