Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update GHSA-r4q3-7g4q-x89m.json CVE-2024-22233 #3365

Closed
wants to merge 1 commit into from
Closed

Conversation

prabhu
Copy link

@prabhu prabhu commented Jan 24, 2024

spring-core is not affected by this vulnerability. Rather, applications must be using spring-webmvc with spring-security-core (used or available in classpath). Since expressing such a condition is not possible with this schema, my edit would still result in false positives.

spring-core is not affected by this vulnerability. Rather, applications must be using spring-webmvc with spring-security-core (used or available in classpath). Since expressing such a condition is not possible with this schema, my edit would still result in false positives.
@github-actions github-actions bot changed the base branch from main to prabhu/advisory-improvement-3365 January 24, 2024 21:55
@JonathanLEvans
Copy link

Hi @prabhu, do you have reference links showing that spring-core is unaffected and the other packages are? Links to the commits that fix the issue would be especially helpful.

@prabhu
Copy link
Author

prabhu commented Jan 24, 2024

@JonathanLEvans, best to get it confirmed by someone from spring team. But below is my understanding.

The new filter is part of spring-webmvc and comes into the picture only when spring-security is available in the class path. The commit that introduces HandlerMappingIntrospector to spring-security is here

Some sample payloads to cause dos with matches (from LiveOverflow twitter).

/.(.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a.*a)+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
"(.*a){100}aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!"

Related tickets

spring-projects/spring-framework#31937

To conclude, please try and seek official confirmation from the spring team since it is possible I might have missed something somewhere.

@JonathanLEvans
Copy link

Hi @prabhu, the commit you provided does not clearly relate to the vulnerability. As you suggested, we reached out to the Spring team but have not received clarification. Without further clarification, we will continue to list spring-core as the affected package since https://spring.io/security/cve-2024-22233/ says to update the entire framework.

@prabhu prabhu closed this by deleting the head repository Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants