Advisory No: TZCERT/SA/2024/07/26-6
Date of First Release: 26th July 2024
Source: Spring
Software Affected: Spring Cloud Data Flow
Overview:
Spring is vulnerable to a remote code vulnerability. The attackers can leverage the vulnerability to compromise the server.
Description:
Spring Cloud Data Flow, a microservices-based streaming in Cloud Foundry and Kubernetes is affected by a vulnerability tracked as CVE-2024-37084. The vulnerability is a result of improper sanitization for the upload path, that a malicious user who has access to the Skipper server API can use a crafted upload request to write an arbitrary file to any location on the file system. The attackers can exploit the vulnerability to compromise the server by executing remote arbitrary codes.
Impact:
Successful exploitation of this vulnerability may allow an attacker to take control of the affected system.
Solution:
Spring has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.
References: