Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Security Advisories
CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader
Description
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
Affected Spring Products and Versions
Spring Boot
- 2.7.0 - 2.7.21
- 3.0.0 - 3.0.16
- 3.1.0 - 3.1.12
- 3.2.0 - 3.2.8
- 3.3.0 - 3.3.2
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.7.x | 2.7.22 | Enterprise Support Only |
| 3.0.x | 3.0.17 | Enterprise Support Only |
| 3.1.x | 3.1.13 | Enterprise Support Only |
| 3.2.x | 3.2.9 | OSS |
| 3.3.x | 3.3.3 | OSS |
Credit
The issue was identified and responsibly reported by Yufan You.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all