Spring Security Advisories

CVE-2024-38809: Spring Framework DoS via conditional HTTP request

MEDIUM | AUGUST 14, 2024 | CVE-2024-38809

Description

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

Spring Framework

  • 6.1.0 - 6.1.11
  • 6.0.0 - 6.0.22
  • 5.3.0 - 5.3.37
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability
6.1.x6.1.12OSS
6.0.x6.0.23OSS
5.3.x5.3.38OSS

No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Credit

This issue was responsibly reported by Seokchan Yoon.

History

  • 2024-08-14: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all