Hi Michael, No. Neither DSpace 7.x or 8.x should be vulnerable to CVE-2024-38819: https://spring.io/security/cve-2024-38819
This vulnerability relates to "functional web frameworks WebMvc.fn or WebFlux.fn" in Spring WebMVC. Neither of these are used in DSpace. An example of what that code looks like is here: https://docs.spring.io/spring-framework/reference/web/webmvc-functional.html CVE-2024-38820 is also not something that impacts DSpace, because we don't use DataBinder: https://spring.io/security/cve-2024-38820 That said, where possible, DSpace will also obviously update our dependencies to non-vulnerable versions. This will occur in 8.1 (which uses Spring 6.1.x). It's unfortunately not possible to update in DSpace 7.6.x because that uses Spring 5 (which is now only under "Enterprise Support"). That said, sites which have Enterprise Support could perform this update in their root pom.xml. Tim On Monday, October 21, 2024 at 7:56:53 AM UTC-5 Michael Plate wrote: > Hi, > > anybody knows about if / how DSpace 7/8 (and presumably older 5/6 ) is > affected by the Spring frameworks path traversal vulnerability mentioned > here: > > > https://spring.io/blog/2024/10/17/spring-framework-cve-2024-38819-and-cve-2024-38820-published/ > > Michael > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/2866c246-8251-4649-9cdb-fa06785ee83an%40googlegroups.com.
