CVE-2020-5427: Possibility of SQL Injection in Spring Cloud Data Flow Task Execution Sorting Query
Medium
Spring by VMware
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
Severity is medium unless otherwise noted.
Since Spring Cloud Data Flow is hosted internally for the Operations team and is typically not exposed as a Service to the public, the risk is believed to be medium (based on cvss score).
-
Spring Cloud Data Flow
- 2.6.x
- 2.5.x
Users should upgrade to 2.5.4 and higher. Releases that have fixed this issue include:
-
Spring Cloud Data Flow
- 2.7.0
- 2.6.5
- 2.5.4
This issue was identified and responsibly reported by Sufijen Bani from CHECK24 Factory GmbH.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5427
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.7.0
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.6.4
2020-12-01: 2.7.0 Release with fix
2020-11-24: Release Fix for 2.6.x line
2020-10-30: Initial vulnerability identified.