Upgrade Spring Framework to fix CVE-2024-22243

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 9.5.2, 9.2.12
    • Affects Version/s: 9.4.3, 9.2.11, 9.5.1
    • Component/s: Security
    • None
    • Severity 2 - Major

      Issue Summary

      CVE: https://spring.io/security/cve-2024-22243

      Bamboo doesn't use affected parts of that library (UriComponentsBuilder to parse URLs). The scanners will find the vulnerable dependency, but it is NOT exploitable.
      So, if your security policies require a total absence of vulnerable dependencies (even not exploitable), then the latest releases contain the fixed version of spring-web (5.3.32).

      Bamboo doesn't use affected parts of that library (UriComponentsBuilder to parse URLs).
      This is an informational ticket to inform customers about the underlying CVE.

      Environment

      • Bamboo 9.*

      Steps to Reproduce

      Check the installation directory dependencies for the Spring Framework version:

      • Bamboo Agent: <agent installation Directory>/classpath/spring-core-5.3.31.jar
      • Bamboo Server: <bamboo installation directory>/9.2.11/atlassian-bamboo/WEB-INF/lib/spring-core-5.3.31.jar

      Expected Results

      • Bamboo 9.x: Spring Framework 5.3.32 or later

      Actual Results

      • Bamboo 9.x: Spring Framework 5.3.31

            Assignee:
            Alexey Chystoprudov
            Reporter:
            Lorenzo Bueno
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: