Home > Vulnerability Database > CVE-2024-38807

Mend.io Vulnerability Database

CVE-2024-38807

Good to know:

Date: August 23, 2024

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

Language: Java

Severity Score

6.3

Related Resources (6)

Url: https://security.netapp.com/advisory/ntap-20250117-0006

Url: https://github.com/spring-projects/spring-boot

Url: https://security.netapp.com/advisory/ntap-20250117-0006/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38807

Url: https://spring.io/security/cve-2024-38807

Url: https://www.mend.io/vulnerability-database/CVE-2024-38807

Severity Score

6.3

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Authentication Bypass by Spoofing

CWE-290

Top Fix

Upgrade Version

Upgrade to version org.springframework.boot:spring-boot-loader:3.3.3;org.springframework.boot:spring-boot-loader:2.7.18-spring-boot-2.7.20;org.springframework.boot:spring-boot-loader:3.2.9;org.springframework.boot:spring-boot-loader-classic:3.2.9;org.springframework.boot:spring-boot-loader-classic:3.3.3

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38807

Good to know:

Date: August 23, 2024

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?