OpenCVE

Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Vmware	Spring

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-38828
https://spring.io/security/cve-2024-38828
https://www.cve.org/CVERecord?id=CVE-2024-38828

History

Fri, 22 Nov 2024 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
References		https://nvd.nist.gov/vuln/detail/CVE-2024-38828 https://www.cve.org/CVERecord?id=CVE-2024-38828
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 18 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring
CPEs		cpe:2.3:a:vmware:spring::::::::
Vendors & Products		Vmware Vmware spring
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 04:00:00 +0000

Type	Values Removed	Values Added
Description		Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Title		CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter
References		https://spring.io/security/cve-2024-38828
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-11-18T03:45:46.542Z

Updated: 2024-11-18T15:11:00.525Z

Reserved: 2024-06-19T22:32:07.790Z

Link: CVE-2024-38828

Vulnrichment

Updated: 2024-11-18T15:10:38.885Z

NVD

Status : Awaiting Analysis

Published: 2024-11-18T04:15:04.233

Modified: 2024-11-18T17:11:17.393

Link: CVE-2024-38828

Redhat

Severity : Moderate

Publid Date: 2024-11-18T03:45:46Z

Links: CVE-2024-38828 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38828", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:07.790Z", "datePublished": "2024-11-18T03:45:46.542Z", "dateUpdated": "2024-11-18T15:11:00.525Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Framework", "product": "Spring", "vendor": "Spring", "versions": [{"lessThan": "5.3.42", "status": "affected", "version": "5.3.x", "versionType": "commercial"}]}], "datePublic": "2024-11-15T15:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Spring MVC controller methods with an <code>@RequestBody byte[]</code> method parameter are vulnerable to a DoS attack.</p>"}], "value": "Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-11-18T03:45:46.542Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38828"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "vmware", "product": "spring", "cpes": ["cpe:2.3:a:vmware:spring:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.3.0", "status": "affected", "lessThan": "5.3.42", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-18T15:07:55.672409Z", "id": "CVE-2024-38828", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T15:11:00.525Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T15:07:55.672409Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vmware:spring:*:*:*:*:*:*:*:*"], "vendor": "vmware", "product": "spring", "versions": [{"status": "affected", "version": "5.3.0", "lessThan": "5.3.42", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T15:10:38.885Z"}}], "cna": {"title": "CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring", "versions": [{"status": "affected", "version": "5.3.x", "lessThan": "5.3.42", "versionType": "commercial"}], "packageName": "Spring Framework", "defaultStatus": "affected"}], "datePublic": "2024-11-15T15:43:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38828"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack.", "supportingMedia": [{"type": "text/html", "value": "<p>Spring MVC controller methods with an <code>@RequestBody byte[]</code> method parameter are vulnerable to a DoS attack.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-11-18T03:45:46.542Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38828", "state": "PUBLISHED", "dateUpdated": "2024-11-18T15:11:00.525Z", "dateReserved": "2024-06-19T22:32:07.790Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-11-18T03:45:46.542Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "org.springframework:spring-webmvc: DoS via Spring MVC controller method with byte[] parameter", "id": "2326889", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326889"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack."], "name": "CVE-2024-38828", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "streams for Apache Kafka"}], "public_date": "2024-11-18T03:45:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38828\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38828\nhttps://spring.io/security/cve-2024-38828"], "threat_severity": "Moderate"}