search

hapifhir / hapi-fhir

🔥 HAPI FHIR - Java API for HL7 FHIR Clients and Servers
http://hapifhir.io
Apache License 2.0
2.04k stars 1.33k forks source link

CVE-2024-38820 (Low) detected in spring-context-6.1.8.jar #6389

Open mend-bolt-for-github[bot] opened 1 month ago

mend-bolt-for-github[bot] commented 1 month ago

CVE-2024-38820 - Low Severity Vulnerability

Vulnerable Library - spring-context-6.1.8.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /hapi-fhir-docs/pom.xml

Path to vulnerable library: /hapi-fhir-docs/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml,/hapi-fhir-jpaserver-searchparam/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-autoconfigure/pom.xml,/tests/hapi-fhir-base-test-jaxrsserver-kotlin/pom.xml,/hapi-fhir-test-utilities/pom.xml,/hapi-tinder-plugin/pom.xml,/hapi-fhir-storage-batch2-test-utilities/pom.xml,/hapi-fhir-jpaserver-test-utilities/pom.xml,/hapi-fhir-jpaserver-uhnfhirtest/pom.xml,/hapi-fhir-jpaserver-base/pom.xml,/hapi-fhir-jpa/pom.xml,/hapi-fhir-storage-cr/pom.xml,/hapi-fhir-jpaserver-mdm/pom.xml,/hapi-fhir-server-cds-hooks/pom.xml,/hapi-fhir-jpaserver-model/pom.xml,/hapi-fhir-jpaserver-elastic-test-utilities/pom.xml,/hapi-fhir-jpaserver-subscription/pom.xml,/hapi-fhir-storage-batch2-jobs/pom.xml,/hapi-fhir-storage-mdm/pom.xml,/hapi-fhir-storage-batch2/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-starter/pom.xml,/hapi-fhir-storage-test-utilities/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-app/pom.xml,/hapi-fhir-storage/pom.xml,/hapi-fhir-jaxrsserver-base/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-apache/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-api/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jersey/pom.xml,/hapi-fhir-jpaserver-ips/pom.xml,/hapi-fhir-jpaserver-hfql/pom.xml,/hapi-fhir-docs/pom.xml

Dependency Hierarchy: - :x: **spring-context-6.1.8.jar** (Vulnerable Library)

Found in HEAD commit: b59f2d05a7d0fd10c7b03bb6f0ebf97757172a71

Found in base branch: master

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

CVSS 3 Score Details (3.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution: 6.1.14

Step up your Open Source Security Game with Mend here