PT-2024-28229 · Spring+1 · Spring Boot+1
Yufan You
·
Published
2024-08-23
·
Updated
2026-05-24
·
CVE-2024-38807
CVSS v4.0
7.2
High
| Vector | AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Spring Boot versions 2.7.0 through 2.7.21
Spring Boot versions 3.0.0 through 3.0.16
Spring Boot versions 3.1.0 through 3.1.12
Spring Boot versions 3.2.0 through 3.2.8
Spring Boot versions 3.3.0 through 3.3.2
Description
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
Recommendations
For Spring Boot versions 2.7.0 through 2.7.21, update to version 2.7.22 to resolve the issue.
For Spring Boot versions 3.0.0 through 3.0.16, update to version 3.0.17 to resolve the issue.
For Spring Boot versions 3.1.0 through 3.1.12, update to version 3.1.13 to resolve the issue.
For Spring Boot versions 3.2.0 through 3.2.8, update to version 3.2.9 to resolve the issue.
For Spring Boot versions 3.3.0 through 3.3.2, update to version 3.3.3 to resolve the issue.
Fix
Improper Verification of Cryptographic Signature
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Spring Boot