[MAVEN:GHSA-7CJ3-X93G-GJ76] Signature forgery in Spring Boot's Loader
Severity
Moderate
Affected Packages
10
Fixed Packages
10
CVEs
1
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
Package | Affected Version |
---|---|
pkg:maven/org.springframework.boot/spring-boot-loader-classic | >= 3.3.0, <= 3.3.2 |
pkg:maven/org.springframework.boot/spring-boot-loader-classic | >= 3.2.0, <= 3.2.8 |
pkg:maven/org.springframework.boot/spring-boot-loader-classic | >= 3.1.0, <= 3.1.12 |
pkg:maven/org.springframework.boot/spring-boot-loader-classic | >= 3.0.0, <= 3.0.16 |
pkg:maven/org.springframework.boot/spring-boot-loader-classic | >= 2.7.0, <= 2.7.21 |
pkg:maven/org.springframework.boot/spring-boot-loader | >= 3.3.0, <= 3.3.2 |
pkg:maven/org.springframework.boot/spring-boot-loader | >= 3.2.0, <= 3.2.8 |
pkg:maven/org.springframework.boot/spring-boot-loader | >= 3.1.0, <= 3.1.12 |
pkg:maven/org.springframework.boot/spring-boot-loader | >= 3.0.0, <= 3.0.16 |
pkg:maven/org.springframework.boot/spring-boot-loader | >= 2.7.0, <= 2.7.21 |
- ID
- MAVEN:GHSA-7CJ3-X93G-GJ76
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-7cj3-x93g-gj76
- Published
-
2024-08-23T09:30:35
(3 weeks ago) - Modified
-
2024-08-23T18:52:48
(3 weeks ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | >= 3.3.0 <= 3.3.2 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | = 3.3.3 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | >= 3.2.0 <= 3.2.8 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | = 3.2.9 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | >= 3.1.0 <= 3.1.12 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | = 3.1.13 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | >= 3.0.0 <= 3.0.16 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | = 3.0.17 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | >= 2.7.0 <= 2.7.21 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader-classic | org.springframework.boot | spring-boot-loader-classic | = 2.7.22 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | >= 3.3.0 <= 3.3.2 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | = 3.3.3 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | >= 3.2.0 <= 3.2.8 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | = 3.2.9 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | >= 3.1.0 <= 3.1.12 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | = 3.1.13 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | >= 3.0.0 <= 3.0.16 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | = 3.0.17 | |||
Affected | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | >= 2.7.0 <= 2.7.21 | |||
Fixed | pkg:maven/org.springframework.boot/spring-boot-loader | org.springframework.boot | spring-boot-loader | = 2.7.22 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |