spring 5.3.39 how to fix CVE-2016-1000027 CVE-2024-38827 #34232
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
CVE-2016-1000027 is a well-known false positive, please read this issue comment. CVE-2024-38827 is a Spring Security issue, not a Spring Framework one. Our official advisory explains that well, but it seems that the GitHub advisory is wrong. I'll try and submit a fix for that one to GitHub. Spring Framework 5.3.x and 6.0.x are only commercially supported at this point. We've released several commercial releases fixing CVEs and bugs in the meantime. For example, Spring Framework 5.4.42. Unless you are a commercial customer, you should be upgrading to an OSS supported version as soon as possible since 5.3.39 is vulnerable to several CVEs (for example, cve-2024-38828). Please keep an eye on our blog post announcements and official support page to plan for upgrades in advance. Thanks! |
bclozel
added
status: invalid
** Bug Reports **
Spring version 5.3.39 has two vulnerabilities, CVE-2016-1000027 and CVE-2024-38827. Can you provide a fixed version? For example, 5.3.40 or other versions? Because if we need to upgrade to version 6.x to fix them, our project will be very large and difficult to solve.
The text was updated successfully, but these errors were encountered: