Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring 5.3.39 how to fix CVE-2016-1000027 CVE-2024-38827 #34232

Closed
stevenliuit opened this issue Jan 10, 2025 · 3 comments
Closed

spring 5.3.39 how to fix CVE-2016-1000027 CVE-2024-38827 #34232

stevenliuit opened this issue Jan 10, 2025 · 3 comments
Assignees
@bclozel
Labels
status: invalid An issue that we don't feel is valid

Comments

@stevenliuit
Copy link

** Bug Reports **

Spring version 5.3.39 has two vulnerabilities, CVE-2016-1000027 and CVE-2024-38827. Can you provide a fixed version? For example, 5.3.40 or other versions? Because if we need to upgrade to version 6.x to fix them, our project will be very large and difficult to solve.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 10, 2025
@bclozel bclozel self-assigned this Jan 10, 2025
@bclozel
Copy link
Member

bclozel commented Jan 10, 2025

CVE-2016-1000027 is a well-known false positive, please read this issue comment.

CVE-2024-38827 is a Spring Security issue, not a Spring Framework one. Our official advisory explains that well, but it seems that the GitHub advisory is wrong. I'll try and submit a fix for that one to GitHub.

Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828).

Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance.

Thanks!

@bclozel bclozel closed this as not planned Won't fix, can't repro, duplicate, stale Jan 10, 2025
@bclozel bclozel added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 10, 2025
@bclozel bclozel mentioned this issue Jan 10, 2025
Merged
@bclozel
Copy link
Member

bclozel commented Jan 10, 2025

See github/advisory-database#5158

@stevenliuit
Copy link
Author

CVE-2016-1000027 is a well-known false positive, please read this issue comment.

CVE-2024-38827 is a Spring Security issue, not a Spring Framework one. Our official advisory explains that well, but it seems that the GitHub advisory is wrong. I'll try and submit a fix for that one to GitHub.

Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828).

Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance.

Thanks!

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bclozel bclozel

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bclozel @stevenliuit @spring-projects-issues