CVE-2024-22236: 
Java vulnerability analysis and mitigation

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N by NIST NVD, while VMware assessed it with a Base Score of 3.3 (LOW) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-732: Incorrect Permission Assignment for Critical Resource (NVD).

The vulnerability could lead to local information disclosure through temporary directories that are created with unsafe permissions. This affects test execution environments where the Spring Cloud Contract is being used (Spring Advisory).

Users are advised to upgrade to the fixed versions: Spring Cloud Contract 4.1.1, 4.0.5, or 3.1.10. Specifically, 4.1.x users should upgrade to 4.1.1, 4.0.x users should upgrade to 4.0.5, and 3.1.x users should upgrade to 3.1.10. No other mitigation steps are necessary (Spring Advisory).

The vulnerability was identified and responsibly reported by Michael Kimball from Oddball (Spring Advisory).