Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Spring to 5.3.38 to fix CVE-2024-38809 #12586

Closed
damoasis opened this issue Sep 3, 2024 · 0 comments · Fixed by #12589
Closed

Upgrade Spring to 5.3.38 to fix CVE-2024-38809 #12586

damoasis opened this issue Sep 3, 2024 · 0 comments · Fixed by #12589
Labels
contribution welcome dependencies Pull requests that update a dependency file

Comments

@damoasis
Copy link

damoasis commented Sep 3, 2024

Describe the bug
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.

Desktop (please complete the following information):

  • OS: Centos
  • version: nacos-server 2.4.1

Additional context
Spring官方链接

Affected Spring Products and Versions

Spring Framework

  • 6.1.0 - 6.1.11
  • 6.0.0 - 6.0.22
  • 5.3.0 - 5.3.37
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s) Fix version Availability
6.1.x 6.1.12 OSS
6.0.x 6.0.23 OSS
5.3.x 5.3.38 OSS

No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Credit

This issue was responsibly reported by Seokchan Yoon.

History

  • 2024-08-14: Initial vulnerability report published.
@KomachiSion KomachiSion added dependencies Pull requests that update a dependency file contribution welcome labels Sep 3, 2024
KomachiSion added a commit to KomachiSion/nacos that referenced this issue Sep 3, 2024
@KomachiSion
For alibaba#12586, upgrade spring version to 5.3.38.
5c85523
@KomachiSion KomachiSion mentioned this issue Sep 3, 2024
Merged
5 tasks
KomachiSion added a commit that referenced this issue Sep 3, 2024
@KomachiSion
[#12387][#12586] Upgrade dependencies. (#12589)
981b28f 
* For #12387, upgrade logback adapter to 1.1.3

* For #12586, upgrade spring version to 5.3.38.

* Use npm audit fix to fix no conflict ui depend component security problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contribution welcome dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[#12387][#12586] Upgrade dependencies. KomachiSion/nacos
2 participants
@damoasis @KomachiSion