Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-37084: Remote code execution in Spring Cloud Data Flow
Description
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing platform deployed in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. There is a small possibility, due to improper sanitization for the upload path, that a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server. That being said, the Skipper server api is not exposed to external users and the likelihood of this exploitation is extremely minimal.
Affected Spring Products and Versions
Spring Cloud Skipper
- 2.11.0 - 2.11.3
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.11.x | 2.11.4 | OSS |
Users of affected versions should upgrade to the corresponding fixed version.
Credit
The issue was identified and responsibly reported by Liyw979, robinzeng2015, fcgboy, stan000444111888.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all