Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to spring-web-6.1.11.jar CVE-2024-38809

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to spring-web-6.1.11.jar CVE-2024-38809. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denia...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +4174 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=6.0.0 <=6.0.23)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =0.0.6, =0.0.6, =4.6.18, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0), ai.ancf.lmos:arc-runner (>=0.1.1 <=0.112.0) +4775 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=6.1.0 <=6.1.13)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.7 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +37149 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=1.2.1 <=5.3.4)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

org.springframework:spring-web: Spring Framework DoS via conditional HTTP request

A flaw was found in the Spring Web org.springframework:spring-web package. Due to improper ETag prefix validation when the application parses ETags from the If-Match or If-None-Match request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP...

Denial Of Service (DoS)

org.springframework,spring-web is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of ETags from If-Match or If-None-Match request headers, allowing attackers to overwhelm the system and cause service disruption...

CVE-2024-38809

A flaw was found in the Spring Web org.springframework:spring-web package. Due to improper ETag prefix validation when the application parses ETags from the If-Match or If-None-Match request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +36925 more potentially affected by CVE-2024-38809 via org.springframework:spring-web (>=1.2.1 <=5.3.37)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-38809 Source advisory: OSV:GHSA-2RMJ-MQ67-H97G...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +4169 more potentially affected by CVE-2024-38809 via org.springframework:spring-web (>=6.0.0 <=6.0.22)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =0.0.6, =0.0.6, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =3.0.0, =3.1.1 and more Source cves: CVE-2024-38809 Source advisory: OSV:GHSA-2RMJ-MQ67-H97G...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.70.0 <=0.74.0), ai.ancf.lmos:arc-runner (=0.73.0) +3484 more potentially affected by CVE-2024-38809 via org.springframework:spring-web (>=6.1.0 <=6.1.11)

org.springframework:spring-web MAVEN version =6.1.0, =0.70.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.8.7 and more Source cves: CVE-2024-38809 Source advisory: OSV:GHSA-2RMJ-MQ67-H97G...

Path Traversal

org.springframework:spring-webmvc and org.springframework:spring-webflux are vulnerable to Path Traversal. The vulnerability is due to inadequate validation of file paths in HTTP requests, allowing access to files on the file system when using RouterFunctions with a FileSystemResource location...

org.springframework:spring-web used by Jira 9 contains vulnerabilities

Jira 9 and possibly the upcoming Jira 10 are affected by CVE-2024-38808. https://spring.io/security/cve-2024-38808 https://asecurityteam.atlassian.net/browse/VULN-1409329...

Security Bulletin: Vulnerability with Perl, Snappy, Psf Request, spring-web-5.3.33.jar , Apache HTTP Server, OpenJDK, affect IBM Cloud Object Storage Systems (July 2024v1)

Summary Vulnerability with Perl CVE-2023-47038, Snappy CVE-2024-36124, Psf Request CVE-2024-35195, spring-web-5.3.33.jar CVE-2024-22262 , Apache HTTP Server, CVE-2024-24795, CVE-2023-38709 OpenJDK CVE-2024-21094, CVE-2024-21011, CVE-2024-21085, CVE-2024-21068, CVE-2024-21012,. This vulnerability...

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Crowd Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Crowd Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in spring-web-5.3.15.jar

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of spring-web-5.3.15.jar Vulnerability Details CVEID:CVE-2024-22243 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability...

RHEL 7 : jasperreports-server-pro (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jackson-databind: Unsafe deserialization due to incomplete black list incomplete fix for CVE-2017-15095...

RHEL 7 : spring-webflow (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow CVE-2017-8039 - An issue was...

Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to privilege escalation due to Spring-Web (CVE-2023-44794)

Summary IBM Sterling Connect:Direct Web Services uses Spring-Web. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-44794 DESCRIPTION: Dromara SaToken and SpringBoot could allow a remote authenticated attacker to gain elevated privileg...

Open Redirect

org.springframework: spring-web is vulnerable Open Redirect. The vulnerability is caused due to improper validation checks on the host of the parsed URL, which could lead to potential SSRF attacks if the URL is utilized post-validation...