opensearch-build icon indicating copy to clipboard operation
opensearch-build copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

CVE-2024-38809 (Medium) detected in spring-web-5.3.29.jar

Open mend-for-github-com[bot] opened this issue 1 year ago • 3 comments

CVE-2024-38809 - Medium Severity Vulnerability

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

  • jenkins-core-2.426.3.jar (Root Library)
    • spring-security-web-5.8.7.jar
      • :x: spring-web-5.3.29.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Publish Date: 2024-09-27

URL: CVE-2024-38809

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-09-27

Fix Resolution: org.springframework:spring-web:5.3.38,6.0.23,6.1.12

mend-for-github-com[bot] avatar Aug 28 '24 22:08 mend-for-github-com[bot]

Adding @zelinh to please take a look.

prudhvigodithi avatar Aug 29 '24 16:08 prudhvigodithi

This spring library is introduced by jenkins core 2.426.3. https://mvnrepository.com/artifact/org.jenkins-ci.main/jenkins-core/2.426.3 We could fix all spring related CVEs by manually upgrade org.springframework.security » spring-security-web to 6.3.3.

zelinh avatar Aug 29 '24 21:08 zelinh

After researching, we can't upgrade spring libraries without upgrading jenkins core version and potential JDK upgrade. Explicitly upgrading will cause compatibility issue.

zelinh avatar Aug 29 '24 22:08 zelinh

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 21 '25 18:07 mend-for-github-com[bot]