Update GHSA-r4q3-7g4q-x89m.json CVE-2024-22233 #3365
Conversation
spring-core is not affected by this vulnerability. Rather, applications must be using spring-webmvc with spring-security-core (used or available in classpath). Since expressing such a condition is not possible with this schema, my edit would still result in false positives.
github-actions
bot
changed the base branch from
main
to
prabhu/advisory-improvement-3365
|
Hi @prabhu, do you have reference links showing that spring-core is unaffected and the other packages are? Links to the commits that fix the issue would be especially helpful. |
|
@JonathanLEvans, best to get it confirmed by someone from spring team. But below is my understanding.
The new filter is part of spring-webmvc and comes into the picture only when spring-security is available in the class path. The commit that introduces Some sample payloads to cause dos with Related ticketsspring-projects/spring-framework#31937 To conclude, please try and seek official confirmation from the spring team since it is possible I might have missed something somewhere. |
|
Hi @prabhu, the commit you provided does not clearly relate to the vulnerability. As you suggested, we reached out to the Spring team but have not received clarification. Without further clarification, we will continue to list |
spring-core is not affected by this vulnerability. Rather, applications must be using spring-webmvc with spring-security-core (used or available in classpath). Since expressing such a condition is not possible with this schema, my edit would still result in false positives.