CVE-2024-38808

MEDIUM EPSS 41.1%

Published Aug 20, 20241y ago · Modified Jun 17, 20261w ago

4.3 CVSS 3.1

Medium

Published Aug 20, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.

CVSS Details

Base Score

4.3

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity None

Availability Low

Threat Intelligence

EPSS Exploit Probability

41.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-770

Affected Products 5

Vendor	Product	Version	Range
vmware	spring_framework	*	≥5.3.0 – <5.3.39
netapp	active_iq_unified_manager	*	any
netapp	active_iq_unified_manager	*	any
netapp	active_iq_unified_manager	*	any
netapp	oncommand_insight	*	any

References 2

security.netapp.com https://security.netapp.com/advisory/ntap-20240920-0002/

Third Party Advisory
spring.io https://spring.io/security/cve-2024-38808

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.