Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-38828

Denial of Service
Affects
Spring Framework
<5.3.42
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Framework is a powerful and versatile Java application framework designed to simplify enterprise-level development. It provides a comprehensive ecosystem for building robust, scalable, and maintainable applications by offering tools for dependency injection, aspect-oriented programming, data access, transaction management, and more. Seamlessly integrating with other Java technologies, Spring Framework fosters modular development while reducing boilerplate code, enabling developers to focus on business logic. Its flexible, lightweight architecture makes it a go-to choice for creating web, microservices, and enterprise-grade applications.

A Denial of Service (DoS) vulnerability (CVE-2024-38828) has been identified in Spring Framework, which enables attackers to perform DoS attacks.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects all versions of Spring Framework less than 5.3.42.

Details

Module Info

Vulnerability Info

A Denial of Service (DoS) attack is a cyberattack aimed at making a system, service, or network unavailable to its intended users. This is typically achieved by overwhelming the target with an excessive amount of traffic or sending it data designed to trigger failures. The goal is to disrupt normal operations, causing slowdowns or complete inaccessibility.

RequestBody byte[] method parameters used in a Spring MVC controller method are vulnerable to a Denial of Service (DoS) attack.

Steps To Reproduce

Our team will publish steps for reproduction in the future.

Credits

  • macter

Mitigation

Spring Framework 5.3.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
  • Switch from using @RequestBody byte[] to InputStream.
Pink arrow
Pink arrow
CVE-2021-22112
CVE-2022-22978
CVE-2022-22976
CVE-2022-27772
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-38828
PROJECT Affected
Spring Framework
Versions Affected
<5.3.42
Published date
November 15, 2024
≈ Fix date
November 15, 2024
Fixed in
NES for Spring
Severity
Medium
Category
Denial of Service