{"id":"CVE-2019-3799","details":"Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.","aliases":["GHSA-4x49-w62v-76q7"],"modified":"2026-04-11T09:46:15.370989Z","published":"2019-05-06T16:29:01.567Z","references":[{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2019-3799"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-cloud/spring-cloud-config","events":[{"introduced":"db63853853de3f3f5ae3d438bb4c9496d55d4c55"},{"fixed":"a196f98d174a458e61f83560cae075a0d6168c78"},{"introduced":"f266d9581cf0dd6d0b2a509849231100d4eb7354"},{"fixed":"743a5fb692dc329721d16507ec4d252803202201"},{"introduced":"e62e06c39a7c20af1202a6600e91fc6b50d6a181"},{"fixed":"2fcda6e1cb3d59e9e4accf92de1401d6c32092de"}],"database_specific":{"versions":[{"introduced":"1.4.0"},{"fixed":"1.4.6"},{"introduced":"2.0.0"},{"fixed":"2.0.4"},{"introduced":"2.1.0"},{"fixed":"2.1.2"}]}}],"versions":["v1.4.0.RELEASE","v1.4.1.RELEASE","v1.4.2.RELEASE","v1.4.3.RELEASE","v1.4.4.RELEASE","v1.4.5.RELEASE","v2.0.0.RELEASE","v2.0.1.RELEASE","v2.0.2.RELEASE","v2.0.3.RELEASE","v2.1.0.RELEASE","v2.1.1.RELEASE"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3799.json","vanir_signatures_modified":"2026-04-11T09:46:15Z","vanir_signatures":[{"target":{"file":"spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/resource/GenericResourceRepository.java"},"id":"CVE-2019-3799-0636d904","digest":{"line_hashes":["94919465187543866970660553545285181372","68274752391660966962152554233441497566","193452037949087127198119754004826598971","166147205203648982418675755032725841562","275152148129752306237161848041872517300","264217287882986353280194834284592748372","25244021440852412504933894519844512179","322096917969862465322643984486128749491","128680357418445237383179345481252631028","167726214489020897194106252811918622933","297308149182000668762319979272761800698","283963623881780530073181660326261980832","275730032358908697354549790090739710787","197463681772859408202623160137270127798","298479558906306396605450710318922137912","168429358341195919678594681729586394943","190248381295123808074338993970898165355","243239218514652414550734838758502337908","226401398484896276700615659631558598701","226969712610447052750936659983570408598","238771086858012736805693825792849873716","107634937280829966523683359414083711014","267921123114983007076650789287533637245","102715412356406950219770955940244365114","287490125321611852947951489243539965083","325380430615033688285015481369847096390","179479787210101047148126097551328974728","214907776460882731214202324498802655739","148191939425558738617431902452764072112","145852163909169864843084884897346843106","115986887373827876102682101560048162083","119258988697698457769296765622298402469","183325986263730029783145769233746546977"],"threshold":0.9},"deprecated":false,"source":"https://github.com/spring-cloud/spring-cloud-config/commit/2fcda6e1cb3d59e9e4accf92de1401d6c32092de","signature_type":"Line","signature_version":"v1"},{"target":{"file":"spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/resource/GenericResourceRepositoryTests.java"},"id":"CVE-2019-3799-d17abe1a","digest":{"line_hashes":["243590834716320725105594350814500882154","269890579721546833819407202798994410207","194976620405423695720624834494797958197","202705256757408202299941250544196632952","282371284396453858276321070849083910540"],"threshold":0.9},"deprecated":false,"source":"https://github.com/spring-cloud/spring-cloud-config/commit/2fcda6e1cb3d59e9e4accf92de1401d6c32092de","signature_type":"Line","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}