Merge pull request #5158 from github/bclozel-GHSA-q3v6-hm2v-pw99

github · Jan 10, 2025 · 493742e · 493742e
2 parents 5d59d45 + 090fbea
commit 493742e
Showing 1 changed file with 31 additions and 24 deletions.
diff --git a/advisories/github-reviewed/2024/12/GHSA-q3v6-hm2v-pw99/GHSA-q3v6-hm2v-pw99.json b/advisories/github-reviewed/2024/12/GHSA-q3v6-hm2v-pw99/GHSA-q3v6-hm2v-pw99.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q3v6-hm2v-pw99",
-  "modified": "2024-12-02T20:04:17Z",
+  "modified": "2024-12-02T20:04:18Z",
   "published": "2024-12-02T15:31:41Z",
   "aliases": [
     "CVE-2024-38827"
@@ -12,17 +12,13 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
-    },
-    {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.springframework:spring-beans"
+        "name": "org.springframework.security:spring-security-core"
       },
       "ranges": [
         {
@@ -32,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.1.14"
+              "fixed": "5.7.14"
             }
           ]
         }
@@ -41,7 +37,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.springframework:spring-context"
+        "name": "org.springframework.security:spring-security-core"
       },
       "ranges": [
         {
@@ -51,7 +47,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.1.14"
+              "fixed": "5.8.16"
             }
           ]
         }
@@ -60,7 +56,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.springframework:spring-core"
+        "name": "org.springframework.security:spring-security-core"
       },
       "ranges": [
         {
@@ -70,7 +66,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.1.14"
+              "fixed": "6.0.14"
             }
           ]
         }
@@ -79,7 +75,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.springframework:spring-expression"
+        "name": "org.springframework.security:spring-security-core"
       },
       "ranges": [
         {
@@ -89,7 +85,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.1.14"
+              "fixed": "6.1.12"
             }
           ]
         }
@@ -98,7 +94,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.springframework:spring-jdbc"
+        "name": "org.springframework.security:spring-security-core"
       },
       "ranges": [
         {
@@ -108,7 +104,26 @@
               "introduced": "0"
             },
             {
-              "fixed": "6.1.14"
+              "fixed": "6.2.8"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.springframework.security:spring-security-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.3.5"
             }
           ]
         }
@@ -120,17 +135,9 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38827"
     },
-    {
-      "type": "WEB",
-      "url": "https://github.com/spring-projects/spring-framework/issues/33708"
-    },
-    {
-      "type": "WEB",
-      "url": "https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9"
-    },
     {
       "type": "PACKAGE",
-      "url": "https://github.com/spring-projects/spring-framework"
+      "url": "https://github.com/spring-projects/spring-security"
     },
     {
       "type": "WEB",