When trace logging is enabled in Spring Cloud Config Server, sensitive information such as secrets, passwords and tokens is written to logs in clear text. This constitutes a data disclosure vulnerability, CWE‑532, that can compromise the confidentiality of any information stored in the logs. The information revealed is limited to what is logged and does not directly alter application behavior or provide execution capabilities.

Spring Cloud Config 3.1.x versions 3.1.0 through 3.1.13 are affected; upgrade to 3.1.14 or later. Spring Cloud Config 4.1.x 4.1.0 through 4.1.9; upgrade to 4.1.10 or later. Spring Cloud Config 4.2.x 4.2.0 through 4.2.6; upgrade to 4.2.7 or later. Spring Cloud Config 4.3.x 4.3.0 through 4.3.2; upgrade to 4.3.3 or later. Spring Cloud Config 5.0.x 5.0.0 through 5.0.2; upgrade to 5.0.3 or later. Enterprise Support is required for versions 3.1.x and 4.1.x‑4.3.x.

The CVSS score of 4.4 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker who can read the server logs, either locally or via compromised credentials, triggered by enabling trace logging. No remote execution or denial‑of‑service vectors are documented. The main risk is unauthorized disclosure of sensitive data to any individual or process that has access to the log files.