Digital signature forgery in Spring Boot Loader
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-38807 |
| CWE-ID | CWE-347 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Spring Boot Universal components / Libraries / Software for developers |
| Vendor | Spring |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU96484
Risk: Low
CVSSv4.0: 4.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-38807
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to incorrect signature verification when using spring-boot-loader and spring-boot-loader-classic for nested jar files. A local user can forge the signature to spoof identity of the code signer.
Install updates from vendor's website.
Vulnerable software versionsSpring Boot: 2.7.0 - 3.3.2
CPE2.3- cpe:2.3:a:spring:spring-boot:2.7.21:*:*:*:*:*:*:*
- cpe:2.3:a:spring:spring-boot:3.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:spring:spring-boot:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:spring:spring-boot:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:spring:spring-boot:3.3.2:*:*:*:*:*:*:*
https://spring.io/security/cve-2024-38807
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
