6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38807

GHSA ID

GHSA-7cj3-x93g-gj76

EPSS Score

0.0245%

CWE

CWE-347

Published

8/23/2024

Updated

1/17/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38807

CVE-2024-38807: Signature forgery in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38807

GHSA ID

GHSA-7cj3-x93g-gj76

EPSS Score

0.0245%

CWE

CWE-347

Published

8/23/2024

Updated

1/17/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.boot:spring-boot-loader	maven	>= 2.7.0, <= 2.7.21	2.7.22
org.springframework.boot:spring-boot-loader-classic	maven	>= 2.7.0, <= 2.7.21	2.7.22
org.springframework.boot:spring-boot-loader	maven	>= 3.0.0, <= 3.0.16	3.0.17
org.springframework.boot:spring-boot-loader-classic	maven	>= 3.0.0, <= 3.0.16	3.0.17
org.springframework.boot:spring-boot-loader	maven	>= 3.1.0, <= 3.1.12	3.1.13
org.springframework.boot:spring-boot-loader-classic	maven	>= 3.1.0, <= 3.1.12	3.1.13
org.springframework.boot:spring-boot-loader	maven	>= 3.2.0, <= 3.2.8	3.2.9
org.springframework.boot:spring-boot-loader-classic	maven	>= 3.2.0, <= 3.2.8	3.2.9
org.springframework.boot:spring-boot-loader	maven	>= 3.3.0, <= 3.3.2	3.3.3
org.springframework.boot:spring-boot-loader-classic	maven	>= 3.3.0, <= 3.3.2	3.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper isolation of cryptographic signature contexts in nested JAR processing. Based on the CWE-347 description and Spring Boot's architecture:

The JarFile class is central to nested JAR handling, and its signature verification logic would need to maintain strict separation between layers.
The JarEntryCertification class (hypothetical name based on pattern) likely handles entry-specific validation, where improper signer association could occur.
Confidence is medium due to lack of direct patch/diff access, but inferred from:
- The vulnerability's focus on nested JAR signature isolation
- Spring Boot's known JAR handling architecture
- The CWE's emphasis on verification context management
- Version ranges suggesting changes in JAR loading logic

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ppli**tions t**t us* sprin*-*oot-lo***r or sprin*-*oot-lo***r-*l*ssi* *n* *ont*in *ustom *o** t**t p*r*orms si*n*tur* v*ri*i**tion o* n*st** j*r *il*s m*y ** vuln*r**l* to si*n*tur* *or**ry w**r* *ont*nt t**t *pp**rs to **v* ***n si*n** *y on* si*n*

Reasoning

T** vuln*r**ility st*ms *rom improp*r isol*tion o* *rypto*r*p*i* si*n*tur* *ont*xts in n*st** J*R pro**ssin*. **s** on t** *W*-*** **s*ription *n* Sprin* *oot's *r**it**tur*: *. T** `J*r*il*` *l*ss is **ntr*l to n*st** J*R **n*lin*, *n* its si*n*tur*

6.3

Basic Information

Concerned about an active attack path?

CVE-2024-38807: Signature forgery in Spring Boot's Loader

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI