Lucene search

K
vulnrichmentVmwareVULNRICHMENT:CVE-2024-22271
HistoryJul 09, 2024 - 12:50 p.m.

CVE-2024-22271 Spring Cloud Function Web DOS Vulnerability

2024-07-0912:50:15
vmware
github.com
4
spring cloud function
dos vulnerability
web module

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions.

Specifically, an application is vulnerable when all of the following are true:

User is using Spring Cloud Function Web module

Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8

References https://spring.io/security/cve-2022-22979 Β  https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/ Β History 2020-01-16: Initial vulnerability report published.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:vmware:spring_cloud_function:4.0.0:*:*:*:*:*:*:*"
    ],
    "vendor": "vmware",
    "product": "spring_cloud_function",
    "versions": [
      {
        "status": "affected",
        "version": "4.0.0",
        "lessThan": "4.0.8",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:a:vmware:spring_cloud_function:4.1.0:*:*:*:*:*:*:*"
    ],
    "vendor": "vmware",
    "product": "spring_cloud_function",
    "versions": [
      {
        "status": "affected",
        "version": "4.1.0",
        "lessThan": "4.1.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial