Spring Cloud Config Profile Substitution Vulnerability Allowing Unintended File Access and SSRF

A vulnerability exists in Spring Cloud Config Server when the profile parameter is substituted in requests to servers using the native file system as a backend. This flaw allows access to files outside the designated search directories. Additionally, when a source control backend is used, the profile parameter can be redirected to the source control repository URL, potentially facilitating Server-Side Request Forgery (SSRF) attacks. The vulnerability affects Spring Cloud versions 3.1.x prior to 3.1.13, 4.1.x prior to 4.1.9, 4.2.x prior to 4.2.3, 4.3.x prior to 4.3.2, and 5.0.x prior to 5.0.2.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the configured directories, and in cases using a source control backend, it could enable SSRF attacks by allowing the application to make requests to internal services or resources that are not publicly accessible.

Remediation

Users should upgrade to Spring Cloud Config versions 3.1.13, 4.1.9, 4.2.6, 4.3.2, or 5.0.2, depending on their current version.