{"id":"BIT-spring-cloud-dataflow-2024-37084","summary":"CVE-2024-37084: Remote code execution in Spring Cloud Data Flow","details":"In Spring Cloud Data Flow versions prior to 2.11.4,  a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server","aliases":["CVE-2024-37084","GHSA-p528-3mvf-gr87"],"modified":"2025-05-20T10:02:07.006Z","published":"2024-08-27T12:38:05.732Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:vmware:spring_cloud_data_flow:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://spring.io/security/cve-2024-37084"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37084"}],"affected":[{"package":{"name":"spring-cloud-dataflow","ecosystem":"Bitnami","purl":"pkg:bitnami/spring-cloud-dataflow"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.11.0"},{"fixed":"2.11.4"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/spring-cloud-dataflow/BIT-spring-cloud-dataflow-2024-37084.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}