[GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception

[jw123023]

Updates

• Affected products
• References

Comments The 6.0.25 and 5.3.41 versions of org.springframework:spring-context were not found in the central repository or any platform. According to the Milestones listed at https://github.com/spring-projects/spring-framework/issues/33708 and the merged tags at https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c, the vulnerability should be fixed in versions 6.1.14 and 6.2.0-RC2.

[shelbyc]

Hi @jw123023, 6.0.25 and 5.3.41 don't appear in Maven because they're part of enterprise support. We have chosen to mark those versions as fixed to avoid the possibility of false positives.

I think it makes sense to include 6.2.0-RC2 as a fixed version because the likely fix appears in 6.1.14 and 6.2.0-RC2. In the case of 6.2.0-RC2, similar commits appear three times: https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2/

You will still get credit on the advisory for providing enough evidence to include a separate vulnerable version range (VVR) for >= 6.2.0-M1, < 6.2.0-RC2. 🙂

[advisory-database[bot]]

Hi @jw123023! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[wjcIvan]

I do not understand why it is still merged. For users who have enterprise support, it will cause extra troubles.