spring-statemachine icon indicating copy to clipboard operation
spring-statemachine copied to clipboard
verified publisher icon spring-projects

Spring State machine Core vulnerabilities CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225

Open patpatpat123 opened this issue 3 years ago • 3 comments

Hello Spring State machine Team,

I just wanted to report an issue regarding CVEs found in this project.

Background: I did two different tests Test 1 - download this repository with branch 3.1.0 test 2 - use this project at version 3.1.0 in a Spring Boot 2.6.6 + Spring Cloud Jubilee 2021.0.1 web app project (everything latest as of this writing)

For both, I run multiple static analysis tools, such as Back Duck, SonarQube, OWASP Dependency-Check, etc...

For both test, I am seeing those issues: CVE-2013-4152 CVE-2013-7315 CVE-2014-0054 CVE-2014-0225

May I ask if it is possible to help fix those CVEs please?

This is not to make some static analysis tools happy, but rather to address some real security issues.

Thank you

patpatpat123 avatar Apr 18 '22 10:04 patpatpat123

@fmbenhassine this ticket concerns 3.1.0 - can it be closed?

winfriedgerlach avatar May 22 '25 11:05 winfriedgerlach

There are CVEs on the latest version as well...

patpatpat123 avatar May 29 '25 21:05 patpatpat123

4.0.1 upgraded Spring Boot to the latest version 3.5.0 (which is compatible with previous versions for its usage in Spring State Machine). But I will check all these CVE before releasing 4.0.1.

fmbenhassine avatar May 30 '25 07:05 fmbenhassine

Spring Statemachine 4.0.1 has been released and is based on Spring Boot 3.5.3 and Spring Framework 6.2.8 which do not include those CVEs. Thank you for reporting this.

fmbenhassine avatar Jun 29 '25 08:06 fmbenhassine