[GHSA-g5vr-rgqm-vf78] Spring Framework Path Traversal vulnerability

[joshbressers]

Updates

• Affected products

Comments
Add the fix for version 5.3.41 and 6.0.25 which is noted in the spring advisory https://spring.io/security/cve-2024-38819

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• advisories/github-reviewed/2024/12/GHSA-g5vr-rgqm-vf78/GHSA-g5vr-rgqm-vf78.json: Language not supported

[shelbyc]

Hi @joshbressers, per https://spring.io/security/cve-2024-38819, 5.3.41 and 6.0.25 are commercial-only releases that don't appear in the list of Spring Framework releases on GitHub or in the org.springframework:spring-webflux or org.springframework:spring-webmvc Maven releases. What do you think about setting the 5.3.x and 6.0.x VVRs to <= 5.3.39 and >= 6.0.0, <= 6.0.23 without a patched version to avoid generating alerts that tell open-source users to upgrade to an enterprise-only version?

ETA: I'm suggesting <= 5.3.39 and >= 6.0.0, <= 6.0.23 because those are the most recent open-source versions on the 5.3.x and 6.0.x branches.

[joshbressers]

Hi @shelbyc your point is fair. I think your suggestion makes a lot of sense. I'm less worried about suggesting an upgrade to a commercial version which would be weird. I mostly was looking to remove the false positive findings that Grype is currently surfacing

There are a few others I'll trickle in to match this in the coming days

Do you need me to make those changes, or can you do that on your side?

[advisory-database]

Hi @joshbressers! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@joshbressers I just made the changes on my side. 👍 As far as other GHSAs go, you're welcome to submit those as individual PRs or, if you already know all the GHSAs that you'd like to see changed, provide a list of GHSAs in an issue on this repo.

If you already know all the GHSAs that you'd like to change, making a list is more efficient. If you're still finding GHSAs you'd like to change one-by-one over a period of time, it is likely better to make a pull request for each GHSA. The only thing about making an issue is that issues don't automatically lead to advisory credit the way PRs do, but if you're not worried about having advisory credit, providing a list in an issue a good option.