Spring Security Advisories

All advisories

CVE-2024-22263: Arbitrary File Write Vulnerability in Spring Cloud Data Flow

HIGH | MAY 23, 2024 | CVE-2024-22263

Description

Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server.

Affected Spring Products and Versions

Spring Cloud Skipper

  • 2.11.0 - 2.11.2
  • 2.10.x

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability
2.11.x2.11.3OSS
2.10.x2.11.3OSS

Users of affected versions should upgrade to the corresponding fixed version.

Credit

The issue was identified and responsibly reported by cokeBeer, crisprss, LFYSec, skyxsecurity.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all