CVE-2024-22236

CVE Database · CVE-2024-22236

CVE-2024-22236

· LOWModified

CVSS v3.1

3.3

EPSS

0.22%

Published

Jan 31, 2024

Modified

Jun 3, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-732CWE-377

Affected Products (3)

vmware · spring_cloud_contract (up to 3.1.10)vulnerable

vmware · spring_cloud_contract (up to 4.0.5)vulnerable

vmware · spring_cloud_contractvulnerable

References (2)

https://spring.io/security/cve-2024-22236

Vendor Advisory

https://spring.io/security/cve-2024-22236

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs