CVE-2024-38807 CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader

2024-08-2308:26:11

vmware

www.cve.org

cve-2024-38807

signature forgery

spring boot's loader

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

9.5%

JSON

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "Spring Boot",
    "product": "Spring Boot",
    "vendor": "Spring",
    "versions": [
      {
        "lessThan": "2.7.22",
        "status": "affected",
        "version": "2.7.x",
        "versionType": "enterprise support only"
      },
      {
        "lessThan": "3.0.17",
        "status": "affected",
        "version": "3.0.x",
        "versionType": "enterprise support only"
      },
      {
        "lessThan": "3.1.13",
        "status": "affected",
        "version": "3.1.x",
        "versionType": "enterprise support only"
      },
      {
        "lessThan": "3.2.9",
        "status": "affected",
        "version": "3.2.x",
        "versionType": "OSS"
      },
      {
        "lessThan": "3.3.3",
        "status": "affected",
        "version": "3.3.x",
        "versionType": "OSS"
      }
    ]
  }
]