Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Tue, 15 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat apache Camel Spring Boot
CPEs cpe:/a:redhat:apache_camel_spring_boot:4.4.3
Vendors & Products Redhat
Redhat apache Camel Spring Boot

Fri, 27 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
Weaknesses CWE-400
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Spring Web (org.springframework:spring-web) package. Due to improper ETag prefix validation when the application parses ETags from the `If-Match` or `If-None-Match` request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Wed, 25 Sep 2024 22:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in the Spring Web (org.springframework:spring-web) package. Due to improper ETag prefix validation when the application parses ETags from the `If-Match` or `If-None-Match` request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP request.

Tue, 24 Sep 2024 23:15:00 +0000


cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-09-27T16:39:52.644Z

Updated: 2024-09-27T19:19:01.160Z

Reserved: 2024-06-19T22:31:57.187Z

Link: CVE-2024-38809

cve-icon Vulnrichment

Updated: 2024-09-27T17:03:10.001Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-27T17:15:12.393

Modified: 2024-11-21T09:26:51.010

Link: CVE-2024-38809

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-24T18:34:43Z

Links: CVE-2024-38809 - Bugzilla