ROOT-APP-MAVEN-CVE-2024-38807 CVE-2024-38807 in io.root.org.springframework.boot:spring-boot-loader - Patched by Root

Root has patched CVE-2024-38807 in the io.root.org.springframework.boot:spring-boot-loader package for Root:Maven. Multiple fixed versions available...

Linux Distros Unpatched Vulnerability : CVE-2024-38807

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be...

io.americanexpress.synapse:sample-function-greeter-gcp (>=0.4.0 <=0.4.14), io.zipkin:zipkin-server (>=3.0.0 <=3.3.0) +3 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader-classic (>=3.2.0 <=3.2.8)

org.springframework.boot:spring-boot-loader-classic MAVEN version =3.2.0, =0.4.0, =3.0.0, =3.2.0, =4.1.0, =4.1.0, =4.1.5 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

com.alipay.sofa.koupleless:arklet-springboot-starter (>=2.1.0 <=2.1.11), com.alipay.sofa.koupleless:koupleless-base-starter (>=2.1.0 <=2.1.11) +8 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.2.0 <=3.2.7)

org.springframework.boot:spring-boot-loader MAVEN version =3.2.0, =2.1.0, =2.1.0, =4.2.0, =4.2.0, =3.1.0, =0.4.0, =4.3.0, =4.1.0, =4.1.0, =4.1.5 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

org.apache.camel.springboot:camel-itest-spring-boot (>=4.0.0-RC1 <=4.0.6), org.springframework.boot:spring-boot-jarmode-layertools (>=3.1.0 <=3.1.12) potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.1.0 <=3.1.12)

org.springframework.boot:spring-boot-loader MAVEN version =3.1.0, =4.0.0-RC1, =3.1.0, =3.1.12 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

GHSA-7CJ3-X93G-GJ76 Signature forgery in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

com.alipay.sofa.koupleless:arklet-springboot-starter (>=1.0.0 <=1.4.2), com.alipay.sofa.koupleless:koupleless-base-starter (>=1.0.0 <=1.4.2) +84 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=2.7.0 <=2.7.2)

org.springframework.boot:spring-boot-loader MAVEN version =2.7.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.5.1, =0.5.1, =2.2.4, =2.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1 and more Source cves: CVE-2024-38807 Source advisory:...

com.wizzdi:FlexiCore (=7.0.0), org.springframework.boot:spring-boot-jarmode-layertools (>=3.0.0 <=3.0.13) +2 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.0.0 <=3.0.13)

org.springframework.boot:spring-boot-loader MAVEN version =3.0.0, =3.0.0, =4.0.0, =4.0.0, =4.0.6 Source cves: CVE-2024-38807 Source advisory: OSV:GHSA-7CJ3-X93G-GJ76...

io.americanexpress.synapse:sample-function-greeter-gcp (>=0.4.15 <=0.4.16), io.zipkin:zipkin-server (>=3.3.1 <=3.4.1) +3 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader-classic (>=3.3.0 <=3.3.2)

org.springframework.boot:spring-boot-loader-classic MAVEN version =3.3.0, =0.4.15, =3.3.1, =3.3.0, =3.3.13 - org.springframework.cloud:spring-cloud-function-adapter-gcp =4.1.6 - org.springframework.cloud:spring-cloud-function-deployer =4.1.6 Source cves: CVE-2024-38807 Source advisory:...

com.tencent.devops:devops-boot-starter-plugin (=1.0.0), com.tencent.devops:devops-plugin-core (=1.0.0) +128 more potentially affected by CVE-2024-38807 via org.springframework.boot:spring-boot-loader (>=3.3.1 <=3.3.2)

org.springframework.boot:spring-boot-loader MAVEN version =3.3.1, =0.4.15, =4.7.0, =8.2.0, =8.2.0, =3.87.0-03, =3.87.0-03, =3.87.0-03, =3.87.0-03, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.89.0-09, =3.90.3-03 and more Source cves: CVE-2024-38807https://vulners.com/cve/CVE-2024-38807...

DEBIAN-CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

UBUNTU-CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

CVE-2024-38807 describes a signature forgery vulnerability in VMware Spring Boot/loader components where signature verification of nested JARs can be bypassed, enabling content signed by one signer to appear signed by another. The NVD summary matches this description. Connected advisories identif...

Symlink Privilege Escalation

spring-boot-loader-tools is vulnerable to symlink privilege escalation attacks. The runuser can overwrite and take over ownership of any file on the system by using a symlink attack. The application must be installed as a service and the runuser must have shell access in order to successfully...