GHSA-2rmj-mq67-h97g

Опубликовано: 24 сент. 2024

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Spring Framework DoS via conditional HTTP request

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

Ссылки

Пакеты

Наименование

org.springframework:spring-web

maven

Затронутые версииВерсия исправления

< 5.3.38

5.3.38

Наименование

org.springframework:spring-web

maven

Затронутые версииВерсия исправления

>= 6.0.0, < 6.0.23

6.0.23

Наименование

org.springframework:spring-web

maven

Затронутые версииВерсия исправления

>= 6.1.0, < 6.1.12

6.1.12

EPSS

Процентиль: 34%

0.0014

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-38809

Дефекты

CWE-1333

CWE-400

Связанные уязвимости

CVE-2024-38809

CVSS3: 5.3

ubuntu

больше 1 года назад

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.