GHSA-7cj3-x93g-gj76

Source

https://github.com/advisories/GHSA-7cj3-x93g-gj76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-7cj3-x93g-gj76/GHSA-7cj3-x93g-gj76.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7cj3-x93g-gj76

Aliases

CVE-2024-38807

Published

2024-08-23T09:30:35Z

Modified

2024-11-23T05:27:30.615296Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
7.2 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Signature forgery in Spring Boot's Loader

Details

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

Database specific

{
    "nvd_published_at": "2024-08-23T09:15:07Z",
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-23T18:52:45Z"
}

References

Affected packages

Maven / org.springframework.boot:spring-boot-loader

Package

Name: org.springframework.boot:spring-boot-loader; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.22

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

Database specific

{
    "last_known_affected_version_range": "<= 2.7.21"
}

Maven / org.springframework.boot:spring-boot-loader-classic

Package

Name: org.springframework.boot:spring-boot-loader-classic; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader-classic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.22

Database specific

{
    "last_known_affected_version_range": "<= 2.7.21"
}

Maven / org.springframework.boot:spring-boot-loader

Package

Name: org.springframework.boot:spring-boot-loader; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.17

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

Database specific

{
    "last_known_affected_version_range": "<= 3.0.16"
}

Maven / org.springframework.boot:spring-boot-loader-classic

Package

Name: org.springframework.boot:spring-boot-loader-classic; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader-classic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.17

Database specific

{
    "last_known_affected_version_range": "<= 3.0.16"
}

Maven / org.springframework.boot:spring-boot-loader

Package

Name: org.springframework.boot:spring-boot-loader; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.13

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

Database specific

{
    "last_known_affected_version_range": "<= 3.1.12"
}

Maven / org.springframework.boot:spring-boot-loader-classic

Package

Name: org.springframework.boot:spring-boot-loader-classic; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader-classic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.13

Database specific

{
    "last_known_affected_version_range": "<= 3.1.12"
}

Maven / org.springframework.boot:spring-boot-loader

Package

Name: org.springframework.boot:spring-boot-loader; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.9

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

Database specific

{
    "last_known_affected_version_range": "<= 3.2.8"
}

Maven / org.springframework.boot:spring-boot-loader-classic

Package

Name: org.springframework.boot:spring-boot-loader-classic; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader-classic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.9

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

Database specific

{
    "last_known_affected_version_range": "<= 3.2.8"
}

Maven / org.springframework.boot:spring-boot-loader

Package

Name: org.springframework.boot:spring-boot-loader; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.3

Affected versions

3.*

3.3.0

3.3.1

3.3.2

Database specific

{
    "last_known_affected_version_range": "<= 3.3.2"
}

Maven / org.springframework.boot:spring-boot-loader-classic

Package

Name: org.springframework.boot:spring-boot-loader-classic; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-loader-classic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.3

Affected versions

3.*

3.3.0

3.3.1

3.3.2

Database specific

{
    "last_known_affected_version_range": "<= 3.3.2"
}