Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception #4946

Conversation

jw123023
Copy link

Updates

  • Affected products
  • References

Comments
The 6.0.25 and 5.3.41 versions of org.springframework:spring-context were not found in the central repository or any platform. According to the Milestones listed at spring-projects/spring-framework#33708 and the merged tags at spring-projects/spring-framework@23656ae, the vulnerability should be fixed in versions 6.1.14 and 6.2.0-RC2.

@github-actions github-actions bot changed the base branch from main to jw123023/advisory-improvement-4946 October 28, 2024 02:52
@shelbyc
Copy link
Contributor

shelbyc commented Oct 29, 2024

Hi @jw123023, 6.0.25 and 5.3.41 don't appear in Maven because they're part of enterprise support. We have chosen to mark those versions as fixed to avoid the possibility of false positives.

I think it makes sense to include 6.2.0-RC2 as a fixed version because the likely fix appears in 6.1.14 and 6.2.0-RC2. In the case of 6.2.0-RC2, similar commits appear three times: https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2/

You will still get credit on the advisory for providing enough evidence to include a separate vulnerable version range (VVR) for >= 6.2.0-M1, < 6.2.0-RC2. 🙂

@advisory-database advisory-database bot merged commit 1e5df83 into jw123023/advisory-improvement-4946 Oct 29, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @jw123023! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the jw123023-GHSA-4gc7-5j7h-4qph branch October 29, 2024 21:02
@wjcIvan
Copy link

wjcIvan commented Nov 8, 2024

I do not understand why it is still merged. For users who have enterprise support, it will cause extra troubles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants