CVE-2020-5428: Possibility of SQL Injection in Spring Cloud Task Execution Sorting Query

Severity

Low

Vendor

Spring by VMware

Description

In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.

Affected VMware Products and Versions

Severity is low unless otherwise noted.

This is based on the CVSS calculated here.

Spring Cloud Task
- 2.2.4 and below

Mitigation

Users should upgrade to 2.2.5 and higher. Releases that have fixed this issue include:

Spring Cloud Task
- 2.3.0
- 2.2.5

Credit

This issue was identified and responsibly reported by Surfijen Bani of CHECK24 Factory GmbH.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5428

History

2020-11-03: Initial vulnerability identified.

Paving the Road to Modern Apps

VMware Tanzu for vSphere pros

VMware Tanzu for Platform Ops

VMware Tanzu for DevSecOps

CVE-2020-5428: Possibility of SQL Injection in Spring Cloud Task Execution Sorting Query