Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-38809: Spring Framework DoS via conditional HTTP request
Description
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Affected Spring Products and Versions
Spring Framework
- 6.1.0 - 6.1.11
- 6.0.0 - 6.0.22
- 5.3.0 - 5.3.37
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.1.x | 6.1.12 | OSS |
| 6.0.x | 6.0.23 | OSS |
| 5.3.x | 5.3.38 | OSS |
No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Credit
This issue was responsibly reported by Seokchan Yoon.
History
- 2024-08-14: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all