CVE-2024-38807
Signature forgery in Spring Boot's Loader
6.3
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
How to fix CVE-2024-38807
To remediate CVE-2024-38807, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.7.22 or later
- —upgrade to 2.7.22 or later
Is CVE-2024-38807 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- >= 2.7.0, < 2.7.22
- >= 2.7.0, < 2.7.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |