CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader
参考:
- https://spring.io/security/cve-2024-38807
- https://github.com/advisories/GHSA-7cj3-x93g-gj76
- https://nvd.nist.gov/vuln/detail/CVE-2024-38807
Description
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
使用
spring-boot-loader或spring-boot-loader-classic的应用程序,如果包含对嵌套 jar 文件进行签名验证的自定义代码,可能会面临签名伪造的风险,即内容看似由某个签名者签名,实际上是由另一个签名者签名的。
Affected Spring Products and Versions
Spring Boot
- 2.7.0 - 2.7.21
- 3.0.0 - 3.0.16
- 3.1.0 - 3.1.12
- 3.2.0 - 3.2.8
- 3.3.0 - 3.3.2
CVSS
CVSS3 评分 6.3
- 攻击路径 本地
- 攻击复杂度 高
- 权限要求 低
- 影响范围 未更改
- 用户交互 无
- 可用性 无
- 保密性 高
- 完整性 高
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
溯源
Github | Nov 19, 2019 | Spring Boot | PR | Signed jar dependency performance problem when repackaged in a single jar #19041 https://github.com/spring-projects/spring-boot/pull/19041
Github | Thu Aug 22 2024 | Spring Boot | Commit | Improve loading of jar entry certificates 0b24ee857189e139f48826bf2aef10ae8680c11b
todo