The corporate security team keeps flagging our ActiveMQ 5.19.0 installation for:
CVE-2024-38819 is a path traversal vulnerability in Spring Framework (versions 5.3.x-6.1.x) when using functional routing APIs (WebMvc.fn or WebFlux.fn) with FileSystemResource. Based on what I can tell, the following is true: 1. ActiveMQ 5.19.0 does not use Spring functional routing APIs internally. 2. The vulnerability only applies if the application explicitly uses FileSystemResource in Spring functional routing, which is not part of ActiveMQ's core functionality. Can anyone confirm this is the case so that I can file an exception with our security team with a "statement from the Vendor" that ActiveMQ 5.19.0 is not vulnerable? Thanks.
