Moderate severityNVD Advisory· Published Aug 20, 2024· Updated Oct 30, 2024
CVE-2024-38808: Spring Expression DoS Vulnerability
CVE-2024-38808
Description
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
- The application evaluates user-supplied SpEL expressions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-expressionMaven | < 5.3.39 | 5.3.39 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-2.452pkg:apk/chainguard/jenkins-2.462pkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/org.springframework/spring-expression
< 1.27.0-r1+ 14 more
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 2.452.4-r1
- (no CPE)range: < 2.462.1-r1
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 1.27.0-r1
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 2.473-r0
- (no CPE)range: < 5.3.39
- Range: 5.3.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9cmq-m9j5-mvwwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38808ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/26f2dad388499faecf99e75b8856788e95d8d658ghsaWEB
- github.com/spring-projects/spring-framework/commit/f44d13cb7816e586b86c02421af4f5498391111cghsaWEB
- security.netapp.com/advisory/ntap-20240920-0002ghsaWEB
- spring.io/security/cve-2024-38808ghsaWEB
News mentions
0No linked articles in our index yet.