Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for exception approval for CVE-2024-38819 [Spring Framework Path Traversal Vulnerability #16265

Open
AshishJogiAcc opened this issue Dec 12, 2024 · 3 comments
Labels
status: feedback-provided Feedback has been provided type: bug A general bug

Comments

@AshishJogiAcc
Copy link

Description
We are facing a Path Traversal Vulnerability (CVE-2024-38819) in our application due to the Spring Framework.

Environment Details
• Spring Version: [Current Spring version] --> spring-boot-starter-web - 1.5.2.RELEASE
• Java Version: [Java 8]
• Dependency Management Tool: Maven
• Application Context: Spring boot web application
• Server: Tomcat

What We Tried
• Upgrading the Spring Web Version: Attempted upgrading the version of Spring Web dependency from 4.3.7.RELEASE.jar to 4.3.30.RELEASE.jar to resolve the issue. However, the vulnerability persists.

org.springframework spring-web 4.3.30.RELEASE or 4.3.x version with security fixes

• Higher Version of Spring Framework: Tried considering a higher version of Spring Framework, but it requires upgrading our Java version [Java 18], which is not feasible due to compatibility and operational constraints.

Request
• Is there a workaround or alternative solution to address this vulnerability without upgrading the Java version?
• If not, can an exception be made to skip this issue or any mitigations that can be applied at the code or configuration level? we would appreciate it if you could provide the confirmation in one of the following formats: 1. Vendor confirmation email2. Ticket updates in PDF format. 3. Confirmation published on the vendor website

Impact
This vulnerability poses a security risk to our application in production, and we are looking for a solution that doesn't disrupt our existing setup.

Reference Document: Spring Framework Path Traversal Vulnerability - CVE-2024-38819.docx

@AshishJogiAcc AshishJogiAcc added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 12, 2024
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 16, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 16, 2024

Hi, @AshishJogiAcc, thanks for reaching out about this. It would be better for you to report this to the Spring Framework project instead. Can you please file the issue there?

@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Dec 23, 2024
@Bagya04
Copy link

Bagya04 commented Dec 24, 2024

We are currently working to address CVE-2024-38819 (Path Traversal Vulnerability) in our application. Our application is running on Spring Boot 1.5.2, Spring Framework 4.3.7, and OpenJDK 8, which may not support the necessary security patches.

To resolve this vulnerability effectively, we understand that upgrading the Spring Framework to version 6 and Java to version 17 is required. These upgrades are essential to ensure compatibility with the latest security measures and fixes.

We would like to receive official confirmation from the support/vendor team that this upgrade is mandatory for addressing the vulnerability, as we are currently using OpenJDK 8.

This confirmation would assist us in gaining some time to carry out the necessary steps to address and fix the vulnerability.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: feedback-provided Feedback has been provided type: bug A general bug
Projects
None yet
Development

No branches or pull requests

4 participants