#VU96484 Improper Verification of Cryptographic Signature in Spring Boot - CVE-2024-38807

Cybersecurity Help s.r.o.

Published: 2024-08-23

Vulnerability identifier: #VU96484

Vulnerability risk: Low

CVSSv4.0: 4.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38807

CWE-ID: CWE-347

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Spring Boot
Universal components / Libraries / Software for developers

Vendor: Spring

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to incorrect signature verification when using spring-boot-loader and spring-boot-loader-classic for nested jar files. A local user can forge the signature to spoof identity of the code signer.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Boot: 2.7.0 - 2.7.21, 3.0.0 - 3.0.16, 3.1.0 - 3.1.12, 3.2.0 - 3.2.8, 3.3.0 - 3.3.2

External links
https://spring.io/security/cve-2024-38807

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Communications Service Catalog and Design

Multiple vulnerabilities in Oracle Communications Cloud Native Core Console

Digital signature forgery in Spring Boot Loader