In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

Affected Packages

Maven org.springframework.cloud:spring-cloud-contract-shade

Affected versions: 4.1.0 (fixed in 4.1.1)

Maven org.springframework.cloud:spring-cloud-contract-shade

Affected versions: 4.0.0 (fixed in 4.0.5)

Maven org.springframework.cloud:spring-cloud-contract-shade

Affected versions: 3.1.0 (fixed in 3.1.10)

Related CVEs

CVE-2024-22236

Key Information

GHSA ID

GHSA-p6rp-mx85-m459

Published

January 31, 2024 9:30 AM

Last Modified

June 4, 2025 9:10 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.cloud:spring-cloud-contract-shade

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.