Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN469 _____________________________________________________________________ DATE : 07/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Cloud Config versions prior to 5.0.3, 4.3.3, 4.2.7, 4.1.10, 3.1.14. ===================================================================== https://spring.io/security/cve-2026-40982 https://spring.io/security/cve-2026-40981 https://spring.io/security/cve-2026-41002 https://spring.io/security/cve-2026-41004 _____________________________________________________________________ CVE-2026-40982: Directory Traversal with spring-cloud-config-server CRITICAL | MAY 06, 2026 | CVE-2026-40982 Description Spring Cloud Config allows applications to server arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Affected Spring Products and Versions Spring Cloud Config: 3.1.x 4.1.x 4.2.x 4.3.x 5.0.x Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 3.1.x 3.1.14 Enterprise Support Only 4.1.x 4.1.10 Enterprise Support Only 4.2.x 4.2.7 Enterprise Support Only 4.3.x 4.3.3 OSS 5.0.x 5.0.3 OSS Credit The issue was identified and responsibly reported by Swapnil Paliwal and the security team at AxiomCode using the AxiomEngine, August829, and rash18mi. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N&version=3.1 _____________________________________________________________________ CVE-2026-40981: Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager HIGH | MAY 06, 2026 | CVE-2026-40981 Description When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Affected Spring Products and Versions Spring Cloud Config: 3.1.x 4.1.x 4.2.x 4.3.x 5.0.x Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 3.1.x 3.1.14 Enterprise Support Only 4.1.x 4.1.10 Enterprise Support Only 4.2.x 4.2.7 Enterprise Support Only 4.3.x 4.3.3 OSS 5.0.x 5.0.3 OSS If you cannot upgrade to one of the above releases you can set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true to require the client to send a valid token that is then verified to have access to the secrets in the requested project. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1 _____________________________________________________________________ CVE-2026-41002: Spring Cloud Config Server Susceptible To TOCTOU Attack HIGH | MAY 06, 2026 | CVE-2026-41002 Description The base directory (spring.cloud.config.server.git.basedir) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Affected Spring Products and Versions Spring Cloud Config: 3.1.x 4.1.x 4.2.x 4.3.x 5.0.x Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 3.1.x 3.1.14 Enterprise Support Only 4.1.x 4.1.10 Enterprise Support Only 4.2.x 4.2.7 Enterprise Support Only 4.3.x 4.3.3 OSS 5.0.x 5.0.3 OSS Credit The issue was identified and responsibly reported by Yu Bao who works for PayPal.com (@August829). References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N&version=3.1 _____________________________________________________________________ CVE-2026-41004: Spring Cloud Config Server Logged Sensitive Information MEDIUM | MAY 06, 2026 | CVE-2026-41004 Description When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Affected Spring Products and Versions Spring Cloud Config: 3.1.x 4.1.x 4.2.x 4.3.x 5.0.x Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 3.1.x 3.1.14 Enterprise Support Only 4.1.x 4.1.10 Enterprise Support Only 4.2.x 4.2.7 Enterprise Support Only 4.3.x 4.3.3 OSS 5.0.x 5.0.3 OSS References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N&version=3.1 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================