Request for exception approval for CVE-2024-38819 [Spring Framework Path Traversal Vulnerability

[AshishJogiAcc]

Description
We are facing a Path Traversal Vulnerability (CVE-2024-38819) in our application due to the Spring Framework.

Environment Details
• Spring Version: [Current Spring version] --> spring-boot-starter-web - 1.5.2.RELEASE
• Java Version: [Java 8]
• Dependency Management Tool: Maven
• Application Context: Spring boot web application
• Server: Tomcat

What We Tried
• Upgrading the Spring Web Version: Attempted upgrading the version of Spring Web dependency from 4.3.7.RELEASE.jar to 4.3.30.RELEASE.jar to resolve the issue. However, the vulnerability persists.

org.springframework spring-web 4.3.30.RELEASE or 4.3.x version with security fixes

• Higher Version of Spring Framework: Tried considering a higher version of Spring Framework, but it requires upgrading our Java version [Java 18], which is not feasible due to compatibility and operational constraints.

Request
• Is there a workaround or alternative solution to address this vulnerability without upgrading the Java version?
• If not, can an exception be made to skip this issue or any mitigations that can be applied at the code or configuration level? we would appreciate it if you could provide the confirmation in one of the following formats: 1. Vendor confirmation email2. Ticket updates in PDF format. 3. Confirmation published on the vendor website

Impact
This vulnerability poses a security risk to our application in production, and we are looking for a solution that doesn't disrupt our existing setup.

Reference Document: Spring Framework Path Traversal Vulnerability - CVE-2024-38819.docx

[jzheaux]

Hi, @AshishJogiAcc, thanks for reaching out about this. It would be better for you to report this to the Spring Framework project instead. Can you please file the issue there?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[Bagya04]

We are currently working to address CVE-2024-38819 (Path Traversal Vulnerability) in our application. Our application is running on Spring Boot 1.5.2, Spring Framework 4.3.7, and OpenJDK 8, which may not support the necessary security patches.

To resolve this vulnerability effectively, we understand that upgrading the Spring Framework to version 6 and Java to version 17 is required. These upgrades are essential to ensure compatibility with the latest security measures and fixes.

We would like to receive official confirmation from the support/vendor team that this upgrade is mandatory for addressing the vulnerability, as we are currently using OpenJDK 8.

This confirmation would assist us in gaining some time to carry out the necessary steps to address and fix the vulnerability.