CVE-2024-22271 – org.springframework.cloud:spring-cloud-function-context

Package

Manager: maven
Name: org.springframework.cloud:spring-cloud-function-context
Vulnerable Version: >=4.0.0 <4.0.8 || >=4.1.0 <4.1.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00214 pctl0.43946

Details

Spring Cloud Function Framework vulnerable to Denial of Service In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions. Specifically, an application is vulnerable when all of the following are true: User is using Spring Cloud Function Web module Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8 References https://spring.io/security/cve-2022-22979   https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/  History 2020-01-16: Initial vulnerability report published.

Metadata

Created: 2024-07-09T15:30:53Z
Modified: 2024-07-09T21:13:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-j4r7-p9fp-w3f3/GHSA-j4r7-p9fp-w3f3.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-j4r7-p9fp-w3f3
Finding: F184
Auto approve: 1