Spring Framework / CVE-2024-38819
60 views
Skip to first unread message
Michael Plate
Oct 21, 2024, 8:56:53 AM10/21/24
to dspac...@googlegroups.com
Hi,
anybody knows about if / how DSpace 7/8 (and presumably older 5/6 ) is
affected by the Spring frameworks path traversal vulnerability mentioned
here:
https://spring.io/blog/2024/10/17/spring-framework-cve-2024-38819-and-cve-2024-38820-published/
Michael
anybody knows about if / how DSpace 7/8 (and presumably older 5/6 ) is
affected by the Spring frameworks path traversal vulnerability mentioned
here:
https://spring.io/blog/2024/10/17/spring-framework-cve-2024-38819-and-cve-2024-38820-published/
Michael
DSpace Technical Support
Oct 24, 2024, 3:19:54 PM10/24/24
to DSpace Technical Support
Hi Michael,
No. Neither DSpace 7.x or 8.x should be vulnerable to CVE-2024-38819: https://spring.io/security/cve-2024-38819
No. Neither DSpace 7.x or 8.x should be vulnerable to CVE-2024-38819: https://spring.io/security/cve-2024-38819
This vulnerability relates to "functional web frameworks WebMvc.fn or WebFlux.fn" in Spring WebMVC. Neither of these are used in DSpace. An example of what that code looks like is here: https://docs.spring.io/spring-framework/reference/web/webmvc-functional.html
CVE-2024-38820 is also not something that impacts DSpace, because we don't use DataBinder: https://spring.io/security/cve-2024-38820
That said, where possible, DSpace will also obviously update our dependencies to non-vulnerable versions. This will occur in 8.1 (which uses Spring 6.1.x). It's unfortunately not possible to update in DSpace 7.6.x because that uses Spring 5 (which is now only under "Enterprise Support"). That said, sites which have Enterprise Support could perform this update in their root pom.xml.
Tim
Reply all
Reply to author
Forward
0 new messages