Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Metrics
Affected Vendors & Products
References
History
Tue, 15 Oct 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat apache Camel Spring Boot |
|
CPEs | cpe:/a:redhat:apache_camel_spring_boot:4.4.3 | |
Vendors & Products |
Redhat
Redhat apache Camel Spring Boot |
Fri, 27 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Vmware
Vmware spring Framework |
|
Weaknesses | CWE-400 | |
CPEs | cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | |
Vendors & Products |
Vmware
Vmware spring Framework |
|
Metrics |
ssvc
|
Fri, 27 Sep 2024 16:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in the Spring Web (org.springframework:spring-web) package. Due to improper ETag prefix validation when the application parses ETags from the `If-Match` or `If-None-Match` request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP request. | Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter. |
Wed, 25 Sep 2024 22:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | A flaw was found in the Spring Web (org.springframework:spring-web) package. Due to improper ETag prefix validation when the application parses ETags from the `If-Match` or `If-None-Match` request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP request. |
Tue, 24 Sep 2024 23:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | org.springframework:spring-web: Spring Framework DoS via conditional HTTP request | |
Weaknesses | CWE-1333 | |
References |
|
|
Metrics |
threat_severity
|
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: vmware
Published: 2024-09-27T16:39:52.644Z
Updated: 2024-09-27T19:19:01.160Z
Reserved: 2024-06-19T22:31:57.187Z
Link: CVE-2024-38809
Vulnrichment
Updated: 2024-09-27T17:03:10.001Z
NVD
Status : Awaiting Analysis
Published: 2024-09-27T17:15:12.393
Modified: 2024-09-30T12:45:57.823
Link: CVE-2024-38809
Redhat