← voltar
CVE-2026-44308

Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

CVSS 6.3 MEDIUMEPSS 0.2%CWE-345
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
14 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages. An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages. This vulnerability is fixed in 4.0.2.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
awspring · spring-cloud-awsio.awspring.cloud · spring-cloud-aws-sns

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/awspring/spring-cloud-aws/security/advisories/GHSA-r4w4-wv68-qv85