{ "threat_severity" : "Moderate", "public_date" : "2024-08-20T00:00:00Z", "bugzilla" : { "description" : "spring-expression: Denial of service when processing a specially crafted Spring Expression Language expression", "id" : "2305959", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2305959" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.\nSpecifically, an application is vulnerable when the following is true:\n* The application evaluates user-supplied SpEL expressions.", "A flaw was found in the Spring framework package. A maliciously crafted Spring Expression Language (SePL) may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. To be considered vulnerable, one application has to evaluate user-supplied SpEL expressions." ], "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8886", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-0:2.462.3.1730119132-3.el8" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8886", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1730119231-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8887", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.462.3.1729839924-3.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8887", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-2-plugins-0:4.13.1729840148-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8885", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.462.3.1729839727-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8885", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1729839844-1.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8884", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-0:2.462.3.1729837947-3.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8884", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-2-plugins-0:4.15.1729838165-1.el8" }, { "product_name" : "Red Hat build of Apache Camel 4.4.2 for Spring Boot", "release_date" : "2024-09-09T00:00:00Z", "advisory" : "RHSA-2024:6508", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.4.2", "package" : "org.springframework/spring-expression" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Out of support scope", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Fix deferred", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4", "impact" : "low" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Fix deferred", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:quarkus:3", "impact" : "low" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-expression", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-expression", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-expression", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-expression", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-expression", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Fix deferred", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "org.springframework/spring-expression", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Under investigation", "package_name" : "ovirt-dependencies", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-38808\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38808\nhttps://spring.io/security/cve-2024-38808" ], "name" : "CVE-2024-38808", "csaw" : false }