CVE-2024-38828 - Vulnerability Details

Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Vmware	Spring

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-38828
https://security.netapp.com/advisory/ntap-20250509-0009/
https://spring.io/security/cve-2024-38828
https://www.cve.org/CVERecord?id=CVE-2024-38828

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.0014}`	epss `{'score': 0.00114}`

Fri, 09 May 2025 20:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250509-0009/

Thu, 13 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Fri, 22 Nov 2024 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
References		https://nvd.nist.gov/vuln/detail/CVE-2024-38828 https://www.cve.org/CVERecord?id=CVE-2024-38828
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 18 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring
CPEs		cpe:2.3:a:vmware:spring::::::::
Vendors & Products		Vmware Vmware spring
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 04:00:00 +0000

Type	Values Removed	Values Added
Description		Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Title		CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter
References		https://spring.io/security/cve-2024-38828
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-11-18T03:45:46.542Z

Updated: 2025-05-09T20:03:35.921Z

Reserved: 2024-06-19T22:32:07.790Z

Link: CVE-2024-38828

Vulnrichment

Updated: 2025-05-09T20:03:35.921Z

NVD

Status : Awaiting Analysis

Published: 2024-11-18T04:15:04.233

Modified: 2025-05-09T20:15:38.413

Link: CVE-2024-38828

Redhat

Severity : Moderate

Publid Date: 2024-11-18T03:45:46Z

Links: CVE-2024-38828 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38828", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:07.790Z", "datePublished": "2024-11-18T03:45:46.542Z", "dateUpdated": "2025-05-09T20:03:35.921Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Framework", "product": "Spring", "vendor": "Spring", "versions": [{"lessThan": "5.3.42", "status": "affected", "version": "5.3.x", "versionType": "commercial"}]}], "datePublic": "2024-11-15T15:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Spring MVC controller methods with an <code>@RequestBody byte[]</code> method parameter are vulnerable to a DoS attack.</p>"}], "value": "Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-11-18T03:45:46.542Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38828"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "affected": [{"vendor": "vmware", "product": "spring", "cpes": ["cpe:2.3:a:vmware:spring:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.3.0", "status": "affected", "lessThan": "5.3.42", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-18T15:07:55.672409Z", "id": "CVE-2024-38828", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-13T14:41:48.613Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250509-0009/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-09T20:03:35.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250509-0009/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-09T20:03:35.921Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T15:07:55.672409Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vmware:spring:*:*:*:*:*:*:*:*"], "vendor": "vmware", "product": "spring", "versions": [{"status": "affected", "version": "5.3.0", "lessThan": "5.3.42", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T15:10:38.885Z"}}], "cna": {"title": "CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring", "versions": [{"status": "affected", "version": "5.3.x", "lessThan": "5.3.42", "versionType": "commercial"}], "packageName": "Spring Framework", "defaultStatus": "affected"}], "datePublic": "2024-11-15T15:43:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38828"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack.", "supportingMedia": [{"type": "text/html", "value": "<p>Spring MVC controller methods with an <code>@RequestBody byte[]</code> method parameter are vulnerable to a DoS attack.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-11-18T03:45:46.542Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38828", "state": "PUBLISHED", "dateUpdated": "2025-05-09T20:03:35.921Z", "dateReserved": "2024-06-19T22:32:07.790Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-11-18T03:45:46.542Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack."}, {"lang": "es", "value": "Los m\u00e9todos del controlador Spring MVC con un par\u00e1metro de m\u00e9todo byte[] @RequestBody son vulnerables a un ataque DoS."}], "id": "CVE-2024-38828", "lastModified": "2025-05-09T20:15:38.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-11-18T04:15:04.233", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-38828"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250509-0009/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework:spring-webmvc: DoS via Spring MVC controller method with byte[] parameter", "id": "2326889", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326889"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["Spring MVC controller methods with an @RequestBody byte[]\u00a0method parameter are vulnerable to a DoS attack.", "A flaw was found in the Spring Framework. In certain versions, Spring MVC controller methods with a `@RequestBody byte[]` method parameter are vulnerable to a denial of service attack."], "name": "CVE-2024-38828", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Fix deferred", "package_name": "org.springframework/spring-webmvc", "product_name": "streams for Apache Kafka"}], "public_date": "2024-11-18T03:45:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38828\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38828\nhttps://spring.io/security/cve-2024-38828"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object