CVE-2024-38809: Input Validation
First published: Tue Sep 24 2024(Updated: )
### Description Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack. ### Affected Spring Products and Versions org.springframework:spring-web in versions 6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37 Older, unsupported versions are also affected ### Mitigation Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary. Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework:spring-web | >=6.1.0<6.1.12 | 6.1.12 |
| maven/org.springframework:spring-web | >=6.0.0<6.0.23 | 6.0.23 |
| maven/org.springframework:spring-web | <5.3.38 | 5.3.38 |
| IBM Security Verify Governance, Identity Manager software component | <=ISVG 10.0.2 | |
| IBM Security Verify Governance, Identity Manager virtual appliance component | <=ISVG 10.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/spring-projects/spring-framework/issues/33372
- https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3
- https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533
- https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85
- https://spring.io/security/cve-2024-38809
- https://nvd.nist.gov/vuln/detail/CVE-2024-38809
- https://github.com/advisories/GHSA-2rmj-mq67-h97g (Advisory)
- https://access.redhat.com/errata/RHSA-2024:8064
- https://bugzilla.redhat.com/show_bug.cgi?id=2314495
- https://www.ibm.com/support/pages/node/7172423 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-38809?
CVE-2024-38809 is classified as a Denial of Service (DoS) vulnerability.
How do I fix CVE-2024-38809?
To fix CVE-2024-38809, update the org.springframework:spring-web package to version 6.1.12, 6.0.23, or 5.3.38, based on your version.
What applications are affected by CVE-2024-38809?
CVE-2024-38809 affects applications that use org.springframework:spring-web versions 5.3.0 through 5.3.37, 6.0.0 through 6.0.22, and 6.1.0 through 6.1.11.
Can I still use versions of spring-web affected by CVE-2024-38809?
Using affected versions of spring-web poses a security risk and is not recommended until they are updated to a secure version.
What types of attacks can CVE-2024-38809 be exploited for?
CVE-2024-38809 can be exploited to execute Denial of Service (DoS) attacks against vulnerable applications by malformed ETags.
- agent/first-publish-date
- agent/type
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2rmj-mq67-h97g
- alias/CVE-2024-38809
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/severity
- agent/event
- agent/trending
- agent/weakness
- agent/description
- agent/source
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- package-manager/maven
- vendor/ibm
- canonical/ibm security verify governance, identity manager software component
- version/ibm security verify governance, identity manager software component/isvg 10.0.2
- canonical/ibm security verify governance, identity manager virtual appliance component
- version/ibm security verify governance, identity manager virtual appliance component/isvg 10.0.2