[Java] CVE-2019-3799 Spring-Cloud-Config-Server path traversal / arbitrary file reading

1 minute read


Idea create a spring project, and then add it to pom.xml


Configure application.properties


Then visit image.png


Spring Cloud Config Server is a component of Spring for distributed management. It is responsible for storing configuration on the Server side, and the Client can obtain configuration values through http. The route corresponding to the payload exists in org.springframework.cloud.config.server.resource.ResourceController#retrieve(), its code

    public String retrieve(@PathVariable String name, @PathVariable String profile, @PathVariable String label, HttpServletRequest request, @RequestParam(defaultValue = "true") boolean resolvePlaceholders) throws IOException {
        String path = this.getFilePath(request, name, profile, label);
        return this.retrieve(name, profile, label, path, resolvePlaceholders);

{name}/{profile}/{label}: name corresponds to the warehouse name, profile corresponds to the configuration file, label is the name of the git branch, generally there is a master branch. In the actual test, the name and profile values do not matter, but the label branch name must exist. Debug and follow up getFilePath image.png Here we have set the %25urldecode to %, continue with retrieve(), the path passed here is our payload


Continue to follow findOne, located at org.springframework.cloud.config.server.resource.GenericResourceRepository#findOne

image.png The locations directory file:/C:/Users/icu/AppData/Local/Temp/config-repo-6608031716294156148/ is the temporary location where the git warehouse is cloned in the configuration file, and then splicing ../ causes cross-directory file reading take.




Urldecode by judging whether there is %, and then match special characters such as ../, .., /.


  1. Spring-Cloud-Config-Server-Any File Reading Analysis