Malicious File Write Vulnerability in Spring Cloud Data Flow Skipper Prior to 2.11.4
CVE-2024-37084

8.8HIGH

Key Information:

Vendor: Spring
Status: Spring Cloud Data Flow
Vendor: CVE Published:; 25 July 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability in Spring Cloud Data Flow versions prior to 2.11.4 exists that allows an attacker with access to the Skipper server API to craft a malicious upload request. This action can result in the writing of an arbitrary file to any location on the server's file system, potentially leading to a complete compromise of the server. This vulnerability underscores the importance of implementing proper access controls and sanitization mechanisms to prevent unauthorized file system modifications.

Affected Version(s)

Spring Cloud Data Flow 2.11.x < 2.11.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-37084-Exp
Created by Ly4j

CVE-2024-37084
Created by vuhz

cve-2024-37084-Poc
Created by XiaomingX

References

https://spring.io/security/cve-2024-37084

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 22, 2024
👾
Exploit known to exist
Sep 11, 2024
Vulnerability published
Jul 25, 2024
Vulnerability Reserved
Jun 3, 2024