- Description
- Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
- Source
- security@vmware.com
- NVD status
- Analyzed
- Products
- spring_boot
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@vmware.com
- CWE-295
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2838ED31-53BD-4663-9532-8E0E968E4013",
"versionEndExcluding": "2.7.33",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161",
"versionEndExcluding": "3.3.19",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E",
"versionEndExcluding": "3.4.16",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24",
"versionEndExcluding": "3.5.14",
"versionStartIncluding": "3.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441",
"versionEndExcluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]