Skip to main content

CVE-2024-33807

CVE-2024-33807

Spring Boot Loader Vulnerability

FALSE POSITIVE

Rundeck and Runbook Automation are not vulnerable to this CVE.

The vulnerability exists in Spring Boot Loader 2.7.0 to 2.7.21 and it was fixed on 2.7.22.

Rundeck uses Spring Boot 2.7.18 that is part of the Grails 6.1 version and it would require an update on Grails Framework. This update is currently not scheduled until 2025 sometime.

The vulnerability exists when custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another. This is not used in Rundeck or Runbook Automation products and they are not vulnerable to this finding.