operatorfabric-core icon indicating copy to clipboard operation
operatorfabric-core copied to clipboard

Published 20 hours ago verified publisher icon opfab

CVE-2024-38809 (Medium) detected in spring-web-6.1.11.jar

Open mend-bolt-for-github[bot] opened this issue 1 year ago • 0 comments

CVE-2024-38809 - Medium Severity Vulnerability

Vulnerable Library - spring-web-6.1.11.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /tools/spring/spring-test-utilities/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.1.11/8910d08f15492273543d2c8032b2b895e08ed9e/spring-web-6.1.11.jar

Dependency Hierarchy:

  • spring-security-test-6.3.1.jar (Root Library)
    • spring-security-web-6.3.1.jar
      • :x: spring-web-6.1.11.jar (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.

Publish Date: 2024-06-20

URL: CVE-2024-38809

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-06-20

Fix Resolution: org.springframework:spring-web:5.3.38,6.0.23,6.1.12

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Aug 16 '24 07:08 mend-bolt-for-github[bot]