CVE-2024-37084

CVE-2024-37084: Remote code execution in Spring Cloud Data Flow

CVSS 9.8 CRITICALEPSS 35.2%CWE-94

In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Spring · Spring Cloud Data Flow

public PoCs found — 2

githubgithub.com/Kayiyan/CVE-2024-37084-Poc★ 3 githubgithub.com/vuhz/CVE-2024-37084★ 2

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://spring.io/security/cve-2024-37084