org.apache.camel.springboot:camel-itest-spring-boot (>=4.0.0-RC1 <=4.0.6), org.springframework.boot:spring-boot-jarmode-layertools (>=3.1.0 <=3.1.12) potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.1.0 <=3.1.12)

org.springframework.boot:spring-boot-loader MAVEN version =3.1.0, =4.0.0-RC1, =3.1.0, =3.1.12 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

Signature forgery in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

GHSA-7CJ3-X93G-GJ76 Signature forgery in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

com.alipay.sofa.koupleless:arklet-springboot-starter (>=1.0.0 <=1.4.2), com.alipay.sofa.koupleless:koupleless-base-starter (>=1.0.0 <=1.4.2) +84 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=2.7.0 <=2.7.2)

org.springframework.boot:spring-boot-loader MAVEN version =2.7.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.5.1, =0.5.1, =2.2.4, =2.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1 and more Source cves: CVE-2024-38807 Source advisory:...

com.wizzdi:FlexiCore (=7.0.0), org.springframework.boot:spring-boot-jarmode-layertools (>=3.0.0 <=3.0.13) +2 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.0.0 <=3.0.13)

org.springframework.boot:spring-boot-loader MAVEN version =3.0.0, =3.0.0, =4.0.0, =4.0.0, =4.0.6 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

io.americanexpress.synapse:sample-function-greeter-gcp (>=0.4.15 <=0.4.16), io.zipkin:zipkin-server (>=3.3.1 <=3.4.1) +3 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader-classic (>=3.3.0 <=3.3.2)

org.springframework.boot:spring-boot-loader-classic MAVEN version =3.3.0, =0.4.15, =3.3.1, =3.3.0, =3.3.13 - org.springframework.cloud:spring-cloud-function-adapter-gcp =4.1.6 - org.springframework.cloud:spring-cloud-function-deployer =4.1.6 Source cves: CVE-2024-38807 Source advisory:...

com.tencent.devops:devops-boot-starter-plugin (=1.0.0), com.tencent.devops:devops-plugin-core (=1.0.0) +128 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.3.1 <=3.3.2)

org.springframework.boot:spring-boot-loader MAVEN version =3.3.1, =0.4.15, =4.7.0, =8.2.0, =8.2.0, =3.87.0-03, =3.87.0-03, =3.87.0-03, =3.87.0-03, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.90.3-03 and more Source cves: CVE-2024-38807https://vulners.com/cve/CVE-2024-38807...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

DEBIAN-CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

UBUNTU-CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

CVE-2024-38807 describes a signature forgery vulnerability in VMware Spring Boot/loader components where signature verification of nested JARs can be bypassed, enabling content signed by one signer to appear signed by another. The NVD summary matches this description. Connected advisories identif...

VMware Spring Boot 安全漏洞

VMware Spring Boot is a set of open source frameworks from VMware. A security vulnerability exists in VMware Spring Boot that stems from vulnerability to signature forgery attacks. The following products and versions are affected: Versions 2.7.0 through 2.7.21, 3.0.0 through 3.0.16, 3.1.0 through...

PT-2024-28229

Name of the Vulnerable Software and Affected Versions Spring Boot versions 2.7.0 through 2.7.21 Spring Boot versions 3.0.0 through 3.0.16 Spring Boot versions 3.1.0 through 3.1.12 Spring Boot versions 3.2.0 through 3.2.8 Spring Boot versions 3.3.0 through 3.3.2 Description Applications that use...

Structured logging in Spring Boot 3.4

Logging is a long established part of troubleshooting applications and one of the three pillars of observability, next to metrics and traces. No one likes flying blind in production, and when incidents happen, developers are happy to have log files. Logs are often written out in a human-readable...

Spring Tips: HTMX

Hi, Spring fans! HTMX is the progressive hypertext sensation that's sweeping the process of web app creation, and - thanks to a nice integration by Spring community legend Wim Deblauwe, it's easier than ever to use it with Spring Boot and Thymeleaf. And, it's the topic of today's installment! jav...

cn.centychen:xxl-job-spring-boot-starter (>=1.0.0-RELEASE <=1.0.1-RELEASE), cn.com.365trade.oss:xxl-job-admin (>=2.2.1.1_zzlh <=2.2.1_zzlh) +31 more potentially affected by CVE-2023-45146 via com.xuxueli:xxl-rpc-core (>=1.2.0 <=1.6.0)

com.xuxueli:xxl-rpc-core MAVEN version =1.2.0, =1.0.0-RELEASE, =2.2.1.1zzlh, =2.2.1.1zzlh, =1.1.1, =2.1.1-RELEASE, =0.0.1, =0.0.1, =2.0.4, =2.0.4, =0.0.1, =2.0.5 and more Source cves: CVE-2023-45146 Source advisory: OSV:GHSA-F984-3WX8-GRP9...

Spring Tips: Spring Security method security with special guest Rob Winch

Hi, Spring fans! In this installment I have special guest Spring Security lead Rob Winch give us a master class in how the method security support works and some of its new features. Come for the security, stay for the incredible opportunity to look over a senior engineer's shoulders as he explai...