Lucene search

GitHub Advisory DatabaseGHSA-7CJ3-X93G-GJ76

HistoryAug 23, 2024 - 9:30 a.m.

Signature forgery in Spring Boot's Loader

2024-08-2309:30:35

CWE-347

GitHub Advisory Database

github.com

spring boot

loader

signature forgery

vulnerability

software

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

Percentile

9.5%

JSON

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

Affected configurations

Vulners

Node

org.springframework.boot\springMatchboot

VendorProductVersionCPE
org.springframework.boot\springbootcpe:2.3:a:org.springframework.boot\:spring:boot:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.springframework.boot\	spring	boot	cpe:2.3:a:org.springframework.boot\:spring:boot::::::::

References

github.com/advisories/GHSA-7cj3-x93g-gj76

nvd.nist.gov/vuln/detail/CVE-2024-38807

spring.io/security/cve-2024-38807

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

Percentile

9.5%

JSON

Related for GHSA-7CJ3-X93G-GJ76