CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter
Published Nov 18, 2024
·Updated
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Affected Software
2 affected componentsFixes available
maven/org.springframework:spring-webmvc>=5.3.0<5.3.42
5.3.42
IBM Controller<=11.1.0 - 11.1.1
Event History
Nov 18, 2024
CVE Published
via MITRE·03:45 AM
Data Sourced
via MITRE·03:45 AM
DescriptionSeverity
Data Sourced
via NVD·04:15 AM
DescriptionSeverityWeakness
Advisory Published
via GitHub·06:30 AM
Dec 4, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-38828?
CVE-2024-38828 has been classified as a high severity vulnerability due to its potential for denial of service attacks.
2
How do I fix CVE-2024-38828?
To fix CVE-2024-38828, upgrade to Spring Framework version 5.3.42 or later.
3
What versions of Spring MVC are affected by CVE-2024-38828?
CVE-2024-38828 affects Spring MVC versions from 5.3.0 through 5.3.41.
4
What type of attack does CVE-2024-38828 allow?
CVE-2024-38828 allows attackers to perform denial of service (DoS) attacks against applications using vulnerable Spring MVC controller methods.
5
Is CVE-2024-38828 associated with any specific software?
CVE-2024-38828 specifically impacts the Spring Web MVC framework in the affected versions.