CVE-2024-38808

CVE Database · CVE-2024-38808

CVE-2024-38808

· MEDIUMAnalyzed

CVSS v3.1

4.3

EPSS

0.54%

Published

Aug 20, 2024

Modified

Jun 18, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Weaknesses (CWE)

CWE-770

Affected Products (5)

vmware · spring_framework (up to 5.3.39)vulnerable

netapp · active_iq_unified_managervulnerable

netapp · oncommand_insightvulnerable

References (2)

https://spring.io/security/cve-2024-38808

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240920-0002/

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs