Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 7 maven packages depend on org.springframework.cloud:spring-cloud-config-server (6 direct, 1 indirect)
Ecosystem-wide dependent count for version 3.1.0.
DescriptionCVE.org
When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
AnalysisAI
Spring Cloud Config Server exposes sensitive information in plaintext logs when trace logging is enabled, allowing high-privilege local users to access configuration data including credentials and API keys. The vulnerability affects versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2. No public exploit identified at time of analysis; vendor-released patches are available for all affected version lines.
Technical ContextAI
Spring Cloud Config Server is a centralized configuration management system for distributed Java applications that stores and serves application properties, database credentials, API keys, and other sensitive configuration data to client applications. The vulnerability resides in the trace logging mechanism (typically controlled by log level settings in Spring Boot/Spring Framework logging configuration). When trace-level logging is enabled, the configuration server logs the full contents of configuration data being served, including plaintext secrets that should be redacted or excluded from logs. This violates the logging best practice of never writing authentication material or API credentials to logs. The root cause is insufficient redaction/filtering of sensitive fields before writing to logs-a classic information disclosure flaw (CWE-532: Insertion of Sensitive Information into Log File). The affected CPE indicates all versions of Spring Cloud Config across the listed minor versions are vulnerable until the specified patch versions.
RemediationAI
Vendor-released patches are available for all affected version lines. Spring Cloud Config 3.1.x users should upgrade to 3.1.14 or greater; 4.1.x users should upgrade to 4.1.10 or greater; 4.2.x users should upgrade to 4.2.7 or greater; 4.3.x users should upgrade to 4.3.3 or greater; and 5.0.x users should upgrade to 5.0.3 or greater. Note that 3.1.x, 4.1.x, and 4.2.x patches are available only with Enterprise Support from VMware. For environments unable to patch immediately, disable trace-level logging on Spring Cloud Config Server instances by setting the application log level to DEBUG or INFO in application.yml or application.properties, and avoid enabling spring.cloud.config.server.debug=true or trace-level loggers for spring.cloud.config packages. Additionally, restrict file system access to application logs to authenticated administrators only, and route logs to secure log aggregation systems with access controls and encryption. If centralized logging is used, ensure that log ingestion and storage have proper access restrictions to limit exposure of secrets that may already be logged.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28250
GHSA-j6hh-h3cf-c2hf