216.73.217.172

CVE-2026-44308

· Published 14/05/2026 15:16 · Modified 14/05/2026 18:19

Labels: CVE-2026-44308 2026-05-14CVE-2026-44308CWE-345[email protected]

Essential information

Published
14/05/2026 15:16
Modified
14/05/2026 18:19
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
spring / spring cloud aws cpe:2.3:a:spring:spring_cloud_aws:<4.0.2:*:*:*:*:*:*:*

References