Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-22263: Arbitrary File Write Vulnerability in Spring Cloud Data Flow
Description
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request can lead to remote code execution.
Affected Spring Products and Versions
Spring Cloud Skipper
- 2.11.0 - 2.11.2
- 2.10.x
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.11.x | 2.11.3 | OSS |
| 2.10.x | 2.11.3 | OSS |
Users of affected versions should upgrade to the corresponding fixed version.
Credit
The issue was identified and responsibly reported by cokeBeer, crisprss, LFYSec, skyxsecurity.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all