Possibility of SQL Injection in Spring Cloud Task Execution Sorting Query

LOW | JANUARY 25, 2021 | CVE-2020-5428

Description

In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.

Affected Spring Products and Versions

Spring Cloud Task:

  • 1.0.0.RELEASE - 2.2.4.RELEASE

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
2.2.5.RELEASEOSS

Users should upgrade to 2.2.5 and higher.

Credit

This issue was identified and responsibly reported by Surfijen Bani of CHECK24 Factory GmbH.

History

  • 2021-01-25: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all