advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-g5h3-w546-pj7f] Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry

Open namandf opened this issue 1 year ago • 3 comments

Updates

  • Affected products

Comments Older versions of the package as mentioned in the description are affected by this vulnerability. Same is highlighted in the maven repository https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure

namandf avatar Jun 11 '24 06:06 namandf

Hi @namandf, just to confirm, this advisory already has published a vulnerable version range of >= 3.0.0, < 3.0.6 with version 3.0.6 being the first patched version as well as

  • >= 2.7.0, < 2.7.11
  • >= 2.6.0, < 2.6.15
  • >= 2.5.0, < 2.5.15

Is there an additional vulnerable version range you have found to be vulnerable?

CallmeMari avatar Jun 11 '24 20:06 CallmeMari

Hi @CallmeMari ,

The description states that all older unsupported versions could be susceptible. Maven suggests that all versions

2.0.x, 2.1.x,.2.2.x,.2.3.x,2.4.x etc are vulnerable. https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure

Eg. https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure/2.3.12.RELEASE

Screenshot 2024-06-13 at 10 09 32 PM

namandf avatar Jun 13 '24 16:06 namandf

Hi @CallmeMari , Hope you are doing great. Intended to check if there's an update.

namandf avatar Jun 25 '24 03:06 namandf

Hi @namandf! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

advisory-database[bot] avatar Jul 08 '24 19:07 advisory-database[bot]