By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-38828

Denial of Service

Affects

Spring Framework

< 5.3.0 >= 5.3.0, <= 5.3.41

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a powerful and versatile Java application framework designed to simplify enterprise-level development. It provides a comprehensive ecosystem for building robust, scalable, and maintainable applications by offering tools for dependency injection, aspect-oriented programming, data access, transaction management, and more. Seamlessly integrating with other Java technologies, Spring Framework fosters modular development while reducing boilerplate code, enabling developers to focus on business logic. Its flexible, lightweight architecture makes it a go-to choice for creating web, microservices, and enterprise-grade applications.

This vulnerability in Spring Framework ( 5.3.x versions ) enables attackers to perform DoS attacks.

This issue affects all versions of Spring Framework <= 5.3.41

‍

Details

Module Info

Product: Spring Security
Affected packages: spring-framework-core, spring-framework-web
Affected versions: < 5.3.0, >= 5.3.0, <= 5.3.41
GitHub repository: https://github.com/spring-projects/spring-frameworksome text
- CVE: https://spring.io/security/cve-2024-38828
Package manager: Maven

‍

Vulnerability Info

A Denial of Service (DoS) attack is a cyberattack aimed at making a system, service, or network unavailable to its intended users. This is typically achieved by overwhelming the target with an excessive amount of traffic or sending it data designed to trigger failures. The goal is to disrupt normal operations, causing slowdowns or complete inaccessibility.

RequestBody byte[] method parameters used in a Spring MVC controller method are vulnerable to a Denial of Service (DoS) attack.

‍

Steps To Reproduce

Our team will publish steps for reproduction in the future.

Mitigation

Spring Framework 5.3.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Framework
Leverage a commercial support partner like HeroDevs for post-EOL security support.
Switch from using @RequestBody byte[] to InputStream