I am involved in vulnerability fixes and recently we were facing this issue. I have gone through the spring security documentation (https://spring.io/security/cve-2024-22243) and upgraded my spring framework to 5.3.32 but when we scan through blackduck we get critical vulnerabilities.
Does anyone know the fix for this, apart from upgrading to latest spring boot version?
Comment From: bclozel
when we scan through blackduck we get critical vulnerabilities.
Can you elaborate? What vulnerabilities are being reported?
Comment From: agwlprince617
Yes sure,
Comment From: agwlprince617
More details on the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-22243
Comment From: bclozel
I don't see this vulnerability being mentioned in your screenshot. CVE-2024-22243 is fixed in 5.3.32. If your tool is still considering it as vulnerable, please report it to your tool vendor.
Comment From: bclozel
The https://www.cve.org/CVERecord?id=CVE-2024-22243 entry lists the correct versions and so does GHSA-ccgv-vj62-xf9h - I'm not sure where Blackduck gets its metadata from but it looks good from our perspective. In all cases, the main reference should always be our security advisories: https://spring.io/security/cve-2024-22243
Comment From: agwlprince617
Sorry for the confusion @bclozel, I understand your point and we were getting this error while using spring-framework 5.3.31, when we upgrade it to 5.3.32 we are getting the below error. Thanks again in advance!!
Comment From: bclozel
This is a false positive. See #24434 for details.