Spring Security Advisories

CVE-2024-37084: Remote code execution in Spring Cloud Data Flow

CRITICAL | JULY 25, 2024 | CVE-2024-37084

Description

Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing platform deployed in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. There is a small possibility, due to improper sanitization for the upload path, that a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server. That being said, the Skipper server api is not exposed to external users and the likelihood of this exploitation is extremely minimal.

Affected Spring Products and Versions

Spring Cloud Skipper

  • 2.11.0 - 2.11.3

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability
2.11.x2.11.4OSS

Users of affected versions should upgrade to the corresponding fixed version.

Credit

The issue was identified and responsibly reported by Liyw979, robinzeng2015, fcgboy, stan000444111888.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all