Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-98831

Security vulnerability -> cve-2024-38819 in spring-web-5.3.39-atlassian-2.jar

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Security
    • None
    • 6
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      CONFLUENCE DATA CENTER
      Version 8.5.17
      CVSS Base Score: 7.5
      Affected spring framework, used by given Confluence Version.

      Security scan procedures reported following impact.

      Refer to 
      https://spring.io/security/cve-2024-38819
      https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1

      /opt/confluence/confluence/synchrony-proxy/WEB-INF/lib/spring-web-5.3.39-atlassian-2.jar

      Affected Versions:
      Spring Framework:
      5.3.0 - 5.3.40
      6.0.0 - 6.0.24
      6.1.0 - 6.1.13

      An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

      ....
      Sorry,was not allowed to create a vulnerability ticket.

          Form Name

            [CONFSERVER-98831] Security vulnerability -> cve-2024-38819 in spring-web-5.3.39-atlassian-2.jar

            beenenhouse added a comment -

            The module developer has already released a fix a long time ago (5.3.41), when will this module be updated in confluence? I have been seeing this vulnerability in qualis for several months now

            beenenhouse added a comment - The module developer has already released a fix a long time ago (5.3.41), when will this module be updated in confluence? I have been seeing this vulnerability in qualis for several months now

            mohan chhetri added a comment -

            We upgraded to version 8.5.18 which is shown as fixed version for CVE-2024-38819 [CONFSERVER-98564] CVE-2024-38819: Path traversal vulnerability in org.springframework:spring-webmvc used by Confluence Data Center - Create and track feature requests for Atlassian products. but Confluence 8.5.18 is also using spring 5.3.39 which is vulnerable ...atlassian-confluence-8.5.18/synchrony-proxy/WEB-INF/lib/spring-webmvc-5.3.39-atlassian-3.jar 

            Qualys detects this as vulnerable.

            When is Atlassian upgrading Spring Framework to 5.3.41?

            mohan chhetri added a comment - We upgraded to version 8.5.18 which is shown as fixed version for CVE-2024-38819 [CONFSERVER-98564] CVE-2024-38819: Path traversal vulnerability in org.springframework:spring-webmvc used by Confluence Data Center - Create and track feature requests for Atlassian products. but Confluence 8.5.18 is also using spring 5.3.39 which is vulnerable ...atlassian-confluence-8.5.18/synchrony-proxy/WEB-INF/lib/spring-webmvc-5.3.39-atlassian-3.jar  Qualys detects this as vulnerable. When is Atlassian upgrading Spring Framework to 5.3.41?

              Unassigned Unassigned
              40e7b4e5f803 Harald Maierhofer
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: