CVE-2024-37084 (CVSS 9.8): Remote code execution in Spring Cloud Data Flow

CVE-2024-37084

In a recent security advisory, a critical vulnerability has been identified in Spring Cloud Data Flow, a popular microservices-based streaming and batch data processing platform used in Cloud Foundry and Kubernetes environments. This vulnerability, designated CVE-2024-37084, has received a CVSS score of 9.8, indicating its critical severity.

The vulnerability resides in the Skipper server component of Spring Cloud Data Flow. The Skipper server is designed to handle upload package requests. However, due to improper sanitization of the upload path, there exists a small possibility for a malicious user with access to the Skipper server API to exploit this flaw. By crafting a malicious upload request, an attacker could write an arbitrary file to any location on the file system. This capability could potentially lead to the complete compromise of the server.

It’s important to note that the Skipper server API is not exposed to external users, significantly reducing the likelihood of this vulnerability being exploited. Nonetheless, the risk remains for internal users who have access to the API.

This vulnerability affects Spring Cloud Data Flow versions before 2.11.4. Users operating on these versions are at risk and should take immediate action to mitigate the potential threat.

To address this critical vulnerability, users of affected versions should upgrade to Spring Cloud Data Flow version 2.11.4. This updated version includes the necessary patch to rectify the improper sanitization issue in the Skipper server, effectively eliminating the risk of arbitrary file write exploitation.

Notable Changes in 2.11.4

  • Added tasks/thinexecutions used to list Task Executions more efficiently.
  • Add ability for a user to specify app version when creating schedule.
  • Updated versions and mitigations for CVEs.
    • CVE-2024-37084 Skipper remote code execution mitigated.
    • PRISMA-2023-0067 Jackson 2.17.1

Related Posts: