[GHSA-g5h3-w546-pj7f] Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.68k stars 312 forks source link

[GHSA-g5h3-w546-pj7f] Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry #4459

Closed quinzhi closed 2 months ago

quinzhi commented 2 months ago

Updates

Affected products
References

Comments Since MAY 19, 2023, the springs project fixed this CVE in 2.5.15 and 2.6.15

darakian commented 2 months ago

Hi @quinzhi, any chance you have a reference substantiating that claim of a fix? The two release pages you've added don't seem to mention the CVE by number

quinzhi commented 2 months ago

Hi @quinzhi, any chance you have a reference substantiating that claim of a fix? The two release pages you've added don't seem to mention the CVE by number

Hi @darakian , The release page of 2.7.11 and 3.0.6 did not mention the CVE number neither, But the #35085 from the release page of 2.7.11 and the #35086 from the release page of 3.0.6 mentioned the CVE number, and the #35411 from the release page of 2.5.15 is the Backport of 35085 to 2.5.x, so is the #35412 from 2.6.15. Also, the reference from the original advisory-database page spring-boot-2-5-15-and-2-6-15-available-now claimed the fix.

darakian commented 2 months ago

Gotcha. Many thanks!

advisory-database[bot] commented 2 months ago

Hi @quinzhi! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!