CVE-2019-3799: Spring Cloud Config 2.1.2, 2.0.4, 1.4.6 Released
We have released Spring Cloud Config 2.1.2, 2.0.4, and 1.4.6 to address CVE-2019-3799: Directory Traversal with spring-cloud-config-server. Please review the information in the CVE report and upgrade immediately.
These fixes will be included in the next release of the respective Spring Cloud release train.
NOTE: To override the version in Maven, update the dependency to include the version, such as:
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-config-server</artifactId> <version>2.1.2.RELEASE</version> </dependency>
Similarly, in Gradle: