[MAVEN:GHSA-J4R7-P9FP-W3F3] Spring Cloud Function Framework vulnerable to Denial of Service

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1

In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions.

Specifically, an application is vulnerable when all of the following are true:

User is using Spring Cloud Function Web module

Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8

References https://spring.io/security/cve-2022-22979   https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/  History 2020-01-16: Initial vulnerability report published.

ID
MAVEN:GHSA-J4R7-P9FP-W3F3
Severity
high
URL
https://github.com/advisories/GHSA-j4r7-p9fp-w3f3
Published
2024-07-09T15:30:53
(4 days ago)
Modified
2024-07-09T21:13:50
(4 days ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.springframework.cloud/spring-cloud-function-context org.springframework.cloud spring-cloud-function-context >= 4.1.0 < 4.1.2
Fixed pkg:maven/org.springframework.cloud/spring-cloud-function-context org.springframework.cloud spring-cloud-function-context = 4.1.2
Affected pkg:maven/org.springframework.cloud/spring-cloud-function-context org.springframework.cloud spring-cloud-function-context >= 4.0.0 < 4.0.8
Fixed pkg:maven/org.springframework.cloud/spring-cloud-function-context org.springframework.cloud spring-cloud-function-context = 4.0.8
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...