CVE-2024-38807

NameCVE-2024-38807
DescriptionApplications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libspring-java (PTS)jessie, jessie (lts)3.0.6.RELEASE-17+deb8u2vulnerable
stretch (security), stretch (lts), stretch4.3.5-1+deb9u1vulnerable
buster4.3.22-4vulnerable
bullseye4.3.30-1vulnerable
sid, trixie, bookworm4.3.30-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libspring-javasource(unstable)(unfixed)unimportant

Notes

https://spring.io/security/cve-2024-38807
Only supported for building applications shipped in Debian, see README.Debian.security

Search for package or bug name: Reporting problems