CVE-2020-5410

CVE-2020-5410: Directory Traversal with spring-cloud-config-server

Vendor Spring By Vmware

Product Spring Cloud Config

Weakness CWE-23

KEV Status Known Exploited

Published June 2, 2020

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

June 2, 2020 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-5410 CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2020-5410

Related vulnerabilities

Identifiers

CVE CVE-2020-5410

CWE CWE-23

Affected versions

Vendor Spring By Vmware

Product Spring Cloud Config

Affected ≥ 2.1 and < 2.1.9

Vendor Spring By Vmware

Product Spring Cloud Config

Affected ≥ 2.2 and < 2.2.3

CVE-2020-5410: Directory Traversal with spring-cloud-config-server

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE