CVE-2024-37084

State: PUBLISHED · Published: 2024-07-25 · Updated: 2024-08-02 · Assigner: vmware

Description

In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server

CWE

CWE-94 — CWE-94 Improper Control of Generation of Code ('Code Injection')

Affected

Spring / Spring Cloud Data Flow — v=2.11.x <2.11.4 [affected]

CVSS

3.1 score=9.8 severity=CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://spring.io/security/cve-2024-37084

Source

cvelistV5-main/cves/2024/37xxx/CVE-2024-37084.json