All Vulnerability Reports

CVE-2020-5427: Possibility of SQL Injection in Spring Cloud Data Flow Task Execution Sorting Query

Severity

Medium

Vendor

Spring by VMware

Description

In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

Since Spring Cloud Data Flow is hosted internally for the Operations team and is typically not exposed as a Service to the public, the risk is believed to be medium (based on cvss score).

• Spring Cloud Data Flow
  • 2.6.x
  • 2.5.x

Mitigation

Users should upgrade to 2.5.4 and higher. Releases that have fixed this issue include:

• Spring Cloud Data Flow
  • 2.7.0
  • 2.6.5
  • 2.5.4

Credit

This issue was identified and responsibly reported by Sufijen Bani from CHECK24 Factory GmbH.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5427
• https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.7.0
• https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.6.4

History

2020-12-01: 2.7.0 Release with fix
2020-11-24: Release Fix for 2.6.x line
2020-10-30: Initial vulnerability identified.