Spring Framework DoS (CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262)

Product/Component

Brocade SANnav

1 more products

Notification Id

36814

Last Updated

27 January 2026

Initial Publication Date

27 January 2026

Status

CLOSED

Severity

LOW

CVSS Base Score

Varies

WorkAround

Affected CVE

CVE-2024-38808, CVE-2024-38809, CVE-2024-22262

Brocade Security Advisory ID	BSA-2024-2760
Component	Spring

Summary

The Spring Framework vulnerabilities identified are located within open source components utilized by Brocade SANnav, however none of these vulnerabilities are in the executable code path. As a part of good security practice, the open source component was updated in the Brocade SANnav 3.0.0 release.

CVE-2024-38808: Spring Expression DoS Vulnerability

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.

Specifically, an application is vulnerable when the following is true:

The application evaluates user-supplied SpEL expressions.

CVE-2024-38809: Spring Framework DoS via conditional HTTP request

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.

CVE-2024-22262: Spring Framework URL Parsing with Host Validation (3rd report)

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Products Affected

No Brocade Fibre channel products from Broadcom are affected

Products Not Affected

Brocade SANnav versions before SANnav 3.0.0 contain the vulnerable component, but are not exploitable [VEX Justification: Vulnerable_code_not_in_execute_path]
Brocade Fabric OS
[VEX Justification: Component_not_present]
Brocade ASCG
[VEX Justification: Component_not_present]

Solution

While not exploitable, a security update is included in Brocade SANnav version 3.0.0

Revision History

Version	Change	Date
1.0	Initial Publication	January 27, 2026

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.