An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
oryginał ENCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HVMware Spring Boot
APPVmware< 2.7.333.3.0 – 3.3.19 (bez)3.4.0 – 3.4.16 (bez)3.5.0 – 3.5.14 (bez)4.0.0 – 4.0.6 (bez)
Powiązane podatności
VMware Spring Boot: nieefektywna domyślna ochrona web security — nieautoryzowany dostęp
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a cr...
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is ...
Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1...
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), ve...