CVE-2024-38809 — Spring Framework DoS via conditional HTTP request

Description

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

How to fix CVE-2024-38809

To remediate CVE-2024-38809, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 5.3.38 or later

Is CVE-2024-38809 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 5.3.38

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-38809
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-38809
PATCHgithub.com/spring-projects/spring-framework
WEBgithub.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3