By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-38809

Denial of Service

Affects

Spring Framework

>=4.3.0 <=4.3.30, >=5.3.0 <5.3.38, >=6.0.0 <6.0.23, >=6.1.0 <6.1.12

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

‍

A Denial of Service (DoS) vulnerability (CVE-2024-38809) has been identified in Spring Framework in applications that parse ETags from If-Match or If-None-Match request headers are. Users of affected versions should upgrade to the corresponding fixed version. For older, unsupported versions, enforcing a size limit on If-Match and If-None-Match headers—e.g., through a filter—can help mitigate the risk.

‍

The Open Web Application Security Project (OWASP) explains that DoS attacks aim to make a service “unavailable for the purpose it was designed.” In this case, carefully crafted ETags can trigger excessive computation, preventing other users from accessing the system in a timely manner—or at all.

‍

This issue affects multiple versions of Spring Framework.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-web
Affected Versions: >=4.3.0 <=4.3.30, >=5.3.0 <5.3.38, >=6.0.0 <6.0.23, >=6.1.0 <6.1.12
GitHub repository: https://github.com/spring-projects/spring-framework/tree/main/spring-web‍
Published package: https://mvnrepository.com/artifact/org.springframework/spring-web‍
Package manager: Maven‍
Fixed In: NES for Spring Framework v4.3.32 and v5.3.44

‍

Vulnerability Info

This medium-severity vulnerability is found in the spring-web.jar module of the Spring Framework.

‍

The flaw affects applications that parse ETags in HTTP headers, specifically those using the If-Match or If-None-Match headers. Exploiting this vulnerability allows an attacker to disrupt services by sending conditional HTTP requests that the application cannot process efficiently, leading to resource exhaustion and impacting availability.

‍

For users on unsupported versions who cannot upgrade, a workaround is to enforce size limits on the affected headers, which can be implemented through a filter.

‍

Steps To Reproduce

You can simulate a Denial of Service (DoS) attack through this vulnerability by crafting an HTTP request with an oversized or overly complex If-Match or If-None-Match header. Since this flaw specifically impacts Spring applications that process ETags, the proof-of-concept (PoC) would aim to overload the application's header-processing logic.

‍

A malicious request could exploit the regular expression (regex) matching logic used during header processing. By sending a large number of repeated requests with the header set to a long sequence of *, the application interprets it as an array of elements, consuming significantly more CPU and memory than intended, ultimately leading to resource exhaustion.

‍

Credits

Seokchan Yoon

‍

Mitigation

Spring Framework 4.3.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: