CVE-2024-37084

Name of the Vulnerable Software and Affected Versions Spring Cloud Data Flow versions prior to 2.11.4

Description A malicious user who has access to the Skipper server API can use a crafted upload request to write an arbitrary file to any location on the file system, which could lead to compromising the server. The issue is related to incorrect management of code generation. Exploitation of the issue may allow a remote attacker to write a file to any directory on the system using a specially formed API request.

Recommendations For Spring Cloud Data Flow versions prior to 2.11.4, update to version 2.11.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Skipper server API to minimize the risk of exploitation. Avoid using the API to upload files to sensitive locations on the server until the issue is resolved.