Spring Cloud Config Google Secrets Manager Project Secret Exposure Vulnerability

A vulnerability exists in Spring Cloud Config when Google Secrets Manager is used as the backend. A client can send a request to the config server that may expose secrets from unintended Google Cloud Platform projects. This issue affects Spring Cloud Config versions 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2. Older, unsupported versions are also affected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to secrets from GCP projects that the config server can access, potentially allowing sensitive information to be exposed or misused.

Remediation

Users should upgrade to Spring Cloud Config 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3, depending on their current version. If an upgrade is not possible, the `spring.cloud.config.server.gcp-secret-manager.token-mandatory=true` option can be set to require clients to send a valid token that will be verified for access to the requested project's secrets.