GitHub user xingfudeshi added a comment to the discussion: Spring Framework 特定条件下目录遍历漏洞(CVE-2024-38816)
@hnxydq @molgee Hi, Thank you for following up on this issue. Here’s an update on our progress regarding CVE-2024-38816: As officially announced by the Spring team[1], open-source support for Spring Framework 5.3.x (the version currently used in Seata) has ended. The fix for CVE-2024-38816 is only available in commercial releases (e.g., 5.3.40) or open-source supported versions like Spring Framework 6.1.13+. Our team is actively evaluating the effort and risks involved in upgrading to a Spring Framework version with ongoing open-source support. We aim to address this dependency update in a future Seata release, and will keep the community informed of our timeline. [1] https://spring.io/blog/2024/09/12/spring-framework-releases-fixes-for-cve-2024-38816 GitHub link: https://github.com/apache/incubator-seata/discussions/7521#discussioncomment-15646039 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
