Description
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low
Affected products
- Spring / Spring Integration7.0.0 – 7.0.4.1
- Spring / Spring Integration6.5.0 – 6.5.8.1
- Spring / Spring Integration6.4.0 – 6.4.12
- Spring / Spring Integration6.3.0 – 6.3.15
- Spring / Spring Integration5.5.0 – 5.5.21