Spring Cloud Config Server TOCTOU Vulnerability

A time-of-check-time-of-use (TOCTOU) vulnerability has been identified in the Spring Cloud Config Server. This issue arises in the base directory used to clone Git repositories, which can be manipulated due to the timing of file checks and usage. The vulnerability affects multiple versions of Spring Cloud Config, including 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, with older, unsupported versions also being affected.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of Git repository cloning, potentially allowing for malicious changes to be introduced or legitimate changes to be intercepted or altered.

Remediation

Users should upgrade to the following versions: Spring Cloud Config 3.1.x to 3.1.14, 4.1.x to 4.1.10, 4.2.x to 4.2.7, 4.3.x to 4.3.3, and 5.0.x to 5.0.3. Note that versions 3.1.14, 4.1.10, 4.2.7 are available through Enterprise Support Only, while 4.3.3 and 5.0.3 are available as Open Source.