[jira] [Resolved] (AMQ-9713) Clarification on Exposure to CVE-2024-38819 in ActiveMQ 5.15.4 (Spring 4.3.17)

Sat, 24 May 2025 22:40:00 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-9713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré resolved AMQ-9713.
---------------------------------------
    Resolution: Not A Problem

> Clarification on Exposure to CVE-2024-38819 in ActiveMQ 5.15.4 (Spring 4.3.17)
> ------------------------------------------------------------------------------
>
>                 Key: AMQ-9713
>                 URL: https://issues.apache.org/jira/browse/AMQ-9713
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>    Affects Versions: 5.15.4
>            Reporter: Nagaraju
>            Priority: Critical
>
> Hello ActiveMQ Team,
> We are currently using ActiveMQ version 5.15.4 in our application, which 
> internally depends on Spring Framework version 4.3.17.
> We came across CVE-2024-38819, a high-severity path traversal vulnerability 
> affecting Spring Framework versions 5.3.0 to 6.1.13, specifically in 
> applications that use `RouterFunctions` along with `FileSystemResource` to 
> serve static content.
> The official Spring advisory mentions that “older, unsupported versions are 
> also affected,” but it appears that the vulnerable functional routing API 
> (`WebMvc.fn`, `WebFlux.fn`) was only introduced in Spring 5. Therefore, we 
> believe Spring 4.3.17 (and by extension, ActiveMQ 5.15.4) is *not vulnerable* 
> to this CVE.
> We would like to confirm with the ActiveMQ team whether:
> 1. ActiveMQ 5.15.4 (and its transitive dependency on Spring 4.3.17) is indeed 
> *not affected* by CVE-2024-38819.
> 2. ActiveMQ uses any internal mechanisms that might resemble the vulnerable 
> functional routing features in its own static resource handling or web 
> console features.
> We’d greatly appreciate an official confirmation for our internal security 
> assessment and compliance review.
> Thank you for your support.
> Best regards,  
> Nagaraju



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to