CVE-2024-38807

Published: Aug 23, 2024Modified: Mar 27, 2025

6.3

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.0 / Impact: 5.2

Source: security@vmware.com (Secondary)

Description

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

Related CWEs

CWE-290

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (2)

https://spring.io/security/cve-2024-38807

Source: security@vmware.com

https://security.netapp.com/advisory/ntap-20250117-0006/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.