CVE-2024-37084: 
Java vulnerability analysis and mitigation

Spring Cloud Data Flow, a microservices-based Streaming and Batch data processing platform, was found to contain a critical vulnerability (CVE-2024-37084) affecting versions 2.11.0 through 2.11.3. The vulnerability was discovered and reported by security researchers Liyw979, robinzeng2015, fcgboy, and stan000444111888. The issue was disclosed on July 24, 2024, and involves the Skipper server component of the platform (Spring Advisory).

The vulnerability stems from improper sanitization of upload paths in the Skipper server API. This security flaw allows authenticated users to manipulate upload requests in a way that enables arbitrary file writing to any location on the file system. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) from NIST and 9.8 (Critical) from VMware, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability could lead to server compromise through arbitrary file writing capabilities. However, the impact is somewhat mitigated by the fact that the Skipper server API is not typically exposed to external users, making the likelihood of exploitation minimal (Spring Advisory).

Users of affected versions are strongly advised to upgrade to Spring Cloud Data Flow version 2.11.4, which contains the fix for this vulnerability. No alternative workarounds have been provided (Spring Advisory).