CVE-2020-5410

CVE Database · CVE-2020-5410

CVE-2020-5410

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

95.59%

Published

Jun 2, 2020

Modified

Nov 3, 2025

CISA Known Exploited Vulnerability

Added: 2022-03-25 · Due: 2022-04-15

Apply updates per vendor instructions.

Public PoC / Exploit (5)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCosamahamad/CVE-2020-5410-POC★30 GitHub PoCdead5nd/config-demo★0 GitHub PoCshoucheng3/spring-cloud__spring-cloud-config_CVE-2020-5410_2-1-8-RELEASE★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-23CWE-22

Affected Products (2)

vmware · spring_cloud_config (up to 2.1.9)vulnerable

vmware · spring_cloud_config (up to 2.2.3)vulnerable

References (3)

https://tanzu.vmware.com/security/cve-2020-5410

Vendor Advisory

https://tanzu.vmware.com/security/cve-2020-5410

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs