CVE-2024-38828 in Spring Framework: what's the root cause? - Stack Overflow

admin管理员组

文章数量:1122846

I heard about this vulnerability (CVE-2024-38828) and tried to seek for details, but couldn't find anything useful.

I could imagine why it may cause a DoS: sending too much data may cause a denial of service in the end. But what I don't understand, to properly think of implementing some countermeasures or a fix for this in my applications, is the technical explanation of the issue. Because if it's just a problem of "too much data", I am wondering if we can actually define this a "vulnerability".

Some questions come into my mind:

• what does the fix in the commercially supported version 5.3.42 of the Spring Framework do? Does it simply disable the ability to use @RequestBody byte[]? Or rather implement some (configurable) limit check on the input size before processing? Or yet fix some other processing which was clearly wrong?
• why @RequestBody String is not an issue instead? If the problem is just that the input might be so big to cause a DoS, couldn't a mapping to String suffer from the same problem?
• why Spring Framework 6.x is not vulnerable?

I'm really curious about this, but could not find any explanation of the real problem anywhere.

本文标签： CVE202438828 in Spring Framework what39s the root causeStack Overflow