CVE-2020-5405: 
Java vulnerability analysis and mitigation

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack (Spring Security, NVD).

The vulnerability is classified as a Path Traversal attack (CWE-22) with a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue affects the spring-cloud-config-server module, which can be exploited to serve arbitrary configuration files through specially crafted URLs (NVD).

The vulnerability allows attackers to access arbitrary configuration files through directory traversal, potentially exposing sensitive configuration information stored on the server (Spring Security).

Users of affected versions should upgrade to Spring Cloud Config version 2.2.2 for 2.2.x users, or version 2.1.7 for 2.1.x users. Older versions should upgrade to a supported branch. Additionally, it is recommended that spring-cloud-config-server should only be available on internal networks to clients that require it and should be secured with Spring Security. This limits exposure to the vulnerability to those with internal network access and proper authentication (Spring Security).

The vulnerability was identified and responsibly reported by Yiming Xiang from NSFOCUS Security Team (Spring Security).