spring 5.3.39 how to fix CVE-2016-1000027 CVE-2024-38827

[stevenliuit]

** Bug Reports **

Spring version 5.3.39 has two vulnerabilities, CVE-2016-1000027 and CVE-2024-38827. Can you provide a fixed version? For example, 5.3.40 or other versions? Because if we need to upgrade to version 6.x to fix them, our project will be very large and difficult to solve.

[bclozel]

CVE-2016-1000027 is a well-known false positive, please read this issue comment.

CVE-2024-38827 is a Spring Security issue, not a Spring Framework one. Our official advisory explains that well, but it seems that the GitHub advisory is wrong. I'll try and submit a fix for that one to GitHub.

Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828).

Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance.

Thanks!

[bclozel]

See github/advisory-database#5158

[stevenliuit]

CVE-2016-1000027 is a well-known false positive, please read this issue comment.

CVE-2024-38827 is a Spring Security issue, not a Spring Framework one. Our official advisory explains that well, but it seems that the GitHub advisory is wrong. I'll try and submit a fix for that one to GitHub.

Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828).

Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance.

Thanks!

thank you