Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Cloud Data Flow is a microservices-based Streaming and Batch data processing platform deployed in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. There is a small possibility, due to improper sanitization for the upload path, that a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server. That being said, the Skipper server api is not exposed to external users and the likelihood of this exploitation is extremely minimal.
Affected version(s) | Fix version | Availability |
---|---|---|
2.11.x | 2.11.4 | OSS |
Users of affected versions should upgrade to the corresponding fixed version.
The issue was identified and responsibly reported by Liyw979, robinzeng2015, fcgboy, stan000444111888.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy