Spring Framework version 2.2.4.RELEASE
Hi, I found io.netty 4.1.45/44 that is used in your project has some security problem.
Overview org.wso2.transport.http:org.wso2.transport.http.netty is a HTTP protocol handling implementations for C5 based products.
Affected versions of this package are vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.
Remediation Upgrade org.wso2.transport.http:org.wso2.transport.http.netty to version 6.3.1 or higher.
References: CONFIRM - https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944
See below for more details:
Comment From: bclozel
Hello @sewilguler
It seems the link you've provided is about org.wso2.transport.http:org.wso2.transport.http.netty, Spring Framework does not depend on this library.
Spring Framework optionally depends on Netty and Reactor Netty and an issue has been created for the project about this CVE: netty/netty#10059. This seems to be a documentation issue as developers should avoid disabling header validation in DefaultFullHttpResponse, DefaultHttpResponse and DefaultHttpHeaders constructors.
I haven't found any instance of such misuse in Spring Framework nor Reactor Netty. Do you have reasons to believe that Spring Framework is currently at risk? If you believe so, please report security issues responsibly on https://pivotal.io/security
In the meantime, there are no released Netty versions "fixing" this issue; and this will be fixed by documentation apparently.
Please provide us with more information about this as soon as you can, I'm leaving this issue opened for now. By the way, did you manually scan Spring for this or are you using a tool that reported this problem? Thanks!
Note: I believe you meant to report this against Spring Boot 2.2.4.RELEASE (as Spring Framework 2.2.4.RELEASE doesn't exist). But my comment also applies to Spring Boot.
Comment From: rstoyanchev
@sewilguler for future reference, if you believe there is a security issue, please use the appropriate channel for disclosing it responsibly. This is mentioned at the top of our new issue template where it says:
!!! For Security Vulnerabilities, please go to https://pivotal.io/security !!!
Comment From: sewilguler
Hi @bclozel,
Thank you for your reply and sorry if I caused any trouble or distress. As you said I actually meant to report this spring boot 2.2.4. I have scheduled task on my project running owasp dependency check on gradle (org.owasp.dependencycheck: 5.3.0) and started to get security warnings because of new CVEs found 18th of February. We can close this issue thank you for information and sorry again my mistake to not give enough attention.