Spring Framework Path traversal vulnerability (CVE-2024-38819)

[naveen pamulapati]

Hi Team,

Our security team found Spring Framework Path traversal vulnerability  on the below dependencies.

jetty-0_0_0_0-8153-cruise_war-_go-any-/webapp/WEB-INF/lib/spring-core-4.3.30.RELEASE.jar

jetty-0_0_0_0-8153-cruise_war-_go-any-/webapp/WEB-INF/lib/spring-webmvc-4.3.30.RELEASE.jar

Can you please let us know how we can remediate the issue. We are currently running GoCD using docker and version is 24.2.0. (19076-1406870fc6e121194028e55c4facc0c638d70007).

docker pull gocd/gocd-agent-ubuntu-24.04:v24.2.0

Appreciate your help.

Thanks,

Naveen.

[Chad Wilson]

You cannot "remediate" it (if you mean make the tool stop reporting it), but that specific issue is not believed to be a real problem, as GoCD does not "serv[e] static resources through the functional web frameworks WebMvc.fn or WebFlux.fn" relevant to CVE-2024-38819.

Please see https://github.com/gocd/gocd/discussions/12947#discussioncomment-10071870 and review the commentary at https://github.com/gocd/gocd/blob/b1cfbd334777350a713a76b2af7dfb1ea9464d32/build-platform/.trivyignore.yaml#L10-L15

However if you are running 24.2.0 you likely have bigger, real, security risks rather than the things the scanning tools spit out from embedded libraries. Should upgrade to 24.5.0 or later to remediate those real vulnerabilities.

• https://github.com/gocd/gocd/discussions/13350
• https://github.com/gocd/gocd/security/advisories
  

-Chad

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/go-cd/a0cf1e08-e29e-4dfd-a5cb-11be997f1575n%40googlegroups.com.