-
Notifications
You must be signed in to change notification settings - Fork 38.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates to resource handling for functional endpoints #33434
Comments
Closes: spring-projectsgh-33434 (cherry picked from commit d86bf8b)
Hello @rstoyanchev, hope you are doing well. I've come across this PR and noticed, that there is one minor issue. I've created a PR, which should resolve it, could you please take a look? #33568 |
@drdpov Hello, as we currently have no plans to upgrade to version 6.1. x, this issue has triggered a high-risk vulnerability: https://spring.io/security/cve-2024-38816 Can you fix those issues specifically for version 5.3.39? |
@lucky8987 all CVE fixes are already backported to 5.3.x, see our announcement blog post and the advisory you've linked to. 5.3.x is not OSS supported anymore so you'll have to upgrade to a newer generation or consider commercial support. |
I understand, thanks ! |
@bclozel Hello, I would like to ask if CVE-2024-38819 is the same as CVE-2024-38816 can use Tomcat or Jetty as the web server to reject such malicious requests? Thank you. |
@luckymanbuddha I believe the Spring Security firewall will protect against those, but not Tomcat nor Jetty. |
Closes: spring-projectsgh-33434 (cherry picked from commit d86bf8b)
The built-in handling of resources in Spring MVC and WebFlux gets updated occasionally, but the functional programming model hasn't stayed up-to-date. Those should be functionally equivalent where it makes sense.
The text was updated successfully, but these errors were encountered: