Signature forgery in Spring Boot's Loader
High severity
GitHub Reviewed
Published
Aug 23, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 2.7.0, <= 2.7.21
>= 3.0.0, <= 3.0.16
>= 3.1.0, <= 3.1.12
>= 3.2.0, <= 3.2.8
>= 3.3.0, <= 3.3.2
Patched versions
2.7.22
3.0.17
3.1.13
3.2.9
3.3.3
>= 2.7.0, <= 2.7.21
>= 3.0.0, <= 3.0.16
>= 3.1.0, <= 3.1.12
>= 3.2.0, <= 3.2.8
>= 3.3.0, <= 3.3.2
2.7.22
3.0.17
3.1.13
3.2.9
3.3.3
Description
Published by the National Vulnerability Database
Aug 23, 2024
Published to the GitHub Advisory Database
Aug 23, 2024
Reviewed
Aug 23, 2024
Last updated
Nov 18, 2024
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
References