Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade org.springframework:spring-core to version 4.3.17 or later #1

Open
dzhoshkun opened this issue Oct 23, 2018 · 0 comments
Open
Assignees

Comments

@dzhoshkun
Copy link
Contributor

GitHub has detected a potential security vulnerability related to the Spring Framework version, and recommended the following fix to the pom.xml file:

<dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-core</artifactId>
  <version>[4.3.17,)</version>
</dependency>

Quoting the relevant section of the alert (the link does not seem to work, as of 23 Oct 2018):

CVE-2015-5211 More information
high severity
Vulnerable versions: > 4.2.0, < 4.2.2
Patched version: 4.2.2
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

@dzhoshkun dzhoshkun self-assigned this Oct 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant