CVE-2024-38807: 
Java vulnerability analysis and mitigation

CVE-2024-38807 is a signature forgery vulnerability discovered in Spring Boot's Loader, disclosed on August 23, 2024. The vulnerability affects applications using spring-boot-loader or spring-boot-loader-classic that contain custom code for signature verification of nested jar files. This security issue impacts Spring Boot versions 2.7.0 through 2.7.21, 3.0.0 through 3.0.16, 3.1.0 through 3.1.12, 3.2.0 through 3.2.8, and 3.3.0 through 3.3.2 (Spring Security).

The vulnerability allows for signature forgery where content that appears to have been signed by one signer has actually been signed by another. The severity of this vulnerability has been assessed as MEDIUM with a CVSS v3.1 base score of 6.3 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). This scoring indicates that the vulnerability requires local access, has high attack complexity, requires low privileges, needs no user interaction, and can potentially lead to high impacts on confidentiality and integrity without affecting availability (Spring Security).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information or addition/modification of data in affected systems. The vulnerability specifically impacts applications that perform signature verification of nested jar files, potentially compromising the integrity of signed content (NetApp Security).

Users of affected versions should upgrade to the corresponding fixed versions: 2.7.22 (Enterprise Support Only), 3.0.17 (Enterprise Support Only), 3.1.13 (Enterprise Support Only), 3.2.9 (OSS), or 3.3.3 (OSS). These patches have been released to address the vulnerability (Spring Security).

The Spring Boot team promptly addressed the vulnerability by releasing versions 3.2.9 and 3.3.3 containing fixes for CVE-2024-38807. For support customers, versions 2.7.22, 3.0.17, and 3.1.13 were also released (Spring Blog).