CVE-2024-38807

CWE-290 CWE-3477 documents6 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 88.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Boot

Timeline

PublishedAug 23

Latest updateJan 15

Description

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.0 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.springframework.boot:spring-boot-loader-classic2.7.0 — 2.7.22+4

▶Mavenorg.springframework.boot:spring-boot-loader2.7.0 — 2.7.22+4

▶CVEListV5spring/spring_boot2.7.x — 2.7.22+4

🔴Vulnerability Details

OSV

Signature forgery in Spring Boot's Loader↗2024-08-23

▶

OSV

CVE-2024-38807: Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar file↗2024-08-23

▶

CVEList

CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader↗2024-08-23

▶

GHSA

Signature forgery in Spring Boot's Loader↗2024-08-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Solution Designer (Spring Boot) — CVE-2024-38807↗2025-01-15

▶

Debian

CVE-2024-38807: libspring-java - Applications that use spring-boot-loader or spring-boot-loader-classic and conta...↗2024

▶