Description
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Spring / Spring Boot2.7.x – 2.7.22
- Spring / Spring Boot3.0.x – 3.0.17
- Spring / Spring Boot3.1.x – 3.1.13
- Spring / Spring Boot3.2.x – 3.2.9
- Spring / Spring Boot3.3.x – 3.3.3