Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2020-5427: Possibility of SQL Injection in Spring Cloud Data Flow Task Execution Sorting Query
Description
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
Affected Spring Products and Versions
- Spring Cloud Data Flow
- 2.6.x
- 2.5.x
Mitigation
Users should upgrade to 2.5.4 and higher. Releases that have fixed this issue include:
- Spring Cloud Data Flow
- 2.7.0
- 2.6.5
- 2.5.4
Credit
This issue was identified and responsibly reported by Sufijen Bani from CHECK24 Factory GmbH.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5427
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.7.0
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.6.4
History
- 2020-12-01: 2.7.0 Release with fix
- 2020-11-24: Release Fix for 2.6.x line
- 2020-10-30: Initial vulnerability identified.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all