Remote Code Execution (RCE)

2024-07-2605:43:16

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

org.springframework.cloud

spring-cloud-skipper-server

remote code execution

vulnerability

upload requests

malicious user

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

19.6%

JSON

org.springframework.cloud: spring-cloud-skipper-server is vulnerable to Remote Code Execution (RCE). The vulnerability is caused due to improper validation of upload requests, allowing a malicious user with access to the Skipper server API to write an arbitrary file to any location on the file system, which can result in RCE.