Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycm1qLW1xNjctaDk3Z84AA_vW
Spring Framework DoS via conditional HTTP request
Description
Applications that parse ETags from If-Match
or If-None-Match
request headers are vulnerable to DoS attack.
Affected Spring Products and Versions
org.springframework:spring-web in versions
6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37
Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on If-Match
and If-None-Match
headers, e.g. through a Filter.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycm1qLW1xNjctaDk3Z84AA_vW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-2rmj-mq67-h97g, CVE-2024-38809
References:
- https://github.com/spring-projects/spring-framework/issues/33372
- https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3
- https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533
- https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85
- https://spring.io/security/cve-2024-38809
- https://nvd.nist.gov/vuln/detail/CVE-2024-38809
- https://github.com/advisories/GHSA-2rmj-mq67-h97g
Blast Radius: 27.5
Affected Packages
maven:org.springframework:spring-web
Dependent packages: 6,673Dependent repositories: 153,377
Downloads:
Affected Version Ranges: >= 6.1.0, < 6.1.12, >= 6.0.0, < 6.0.23, < 5.3.38
Fixed in: 6.1.12, 6.0.23, 5.3.38
All affected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 5.3.35, 5.3.36, 5.3.37, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.21, 6.0.22, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11
All unaffected versions: 5.3.38, 5.3.39, 6.0.23, 6.1.12, 6.1.13, 6.1.14, 6.1.15, 6.1.16, 6.2.0, 6.2.1