Bug 2314495 (CVE-2024-38809) - CVE-2024-38809 org.springframework:spring-web: Spring Framework DoS via conditional HTTP request
Summary: CVE-2024-38809 org.springframework:spring-web: Spring Framework DoS via condi...
Keywords:
Status: NEW
Alias: CVE-2024-38809
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-24 20:00 UTC by OSIDB Bzimport
Modified: 2025-03-04 08:28 UTC (History)
57 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:8064 0 None None None 2024-10-14 15:53:54 UTC

Description OSIDB Bzimport 2024-09-24 20:00:53 UTC 
### Description
Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.

### Affected Spring Products and Versions
org.springframework:spring-web in versions 

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

### Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter.
Comment 2 errata-xmlrpc 2024-10-14 15:53:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.3 for Spring Boot

Via RHSA-2024:8064 https://access.redhat.com/errata/RHSA-2024:8064
Note You need to log in before you can comment on or make changes to this bug.