PT-2024-7296 · Spring+1 · Spring-Web+1

Seokchan Yoon

Published

2024-08-14

Updated

2024-09-30

CVE-2024-38809

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: org.springframework:spring-web versions 5.3.0 through 5.3.37 org.springframework:spring-web versions 6.0.0 through 6.0.22 org.springframework:spring-web versions 6.1.0 through 6.1.11

Description: Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to a denial-of-service (DoS) attack. The issue is related to errors in resource release.

Recommendations: For versions 5.3.x, upgrade to version 5.3.38. For versions 6.0.x, upgrade to version 6.0.23. For versions 6.1.x, upgrade to version 6.1.12. For older, unsupported versions, enforce a size limit on If-Match and If-None-Match headers, e.g., through a Filter.

Fix

DoS

Improper Resource Release

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-404CWE-1333CWE-400

Related Identifiers

BDU:2024-08650

CVE-2024-38809

GHSA-2RMJ-MQ67-H97G

Affected Products

Debian

Spring-Web

PT-2024-7296 · Spring+1 · Spring-Web+1

CVE-2024-38809

Weakness Enumeration

Related Identifiers

Affected Products

References · 22