[jira] [Created] (GEODE-10450) Update spring version for CVE-2023-20861

2023-12-18 Thread Ankush Mittal (Jira) 
Ankush Mittal created GEODE-10450:
-

 Summary: Update spring version for CVE-2023-20861
 Key: GEODE-10450
 URL: https://issues.apache.org/jira/browse/GEODE-10450
 Project: Geode
  Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2023-20861],

"{_}In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 
5.2.22.RELEASE, and older unsupported versions, it is possible for a user to 
provide a specially crafted SpEL expression that may cause a denial-of-service 
(DoS) condition.{_}"

 

Geode bundles version 5.3.20 which is vulnerable as per the CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (GEODE-10450) Update spring version for CVE-2023-20861

2023-12-18 Thread Alexander Murmann (Jira) 


 [ 
https://issues.apache.org/jira/browse/GEODE-10450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Murmann updated GEODE-10450:
--
Labels: needsTriage  (was: )

> Update spring version for CVE-2023-20861
> 
>
> Key: GEODE-10450
> URL: https://issues.apache.org/jira/browse/GEODE-10450
> Project: Geode
>  Issue Type: Bug
>Affects Versions: 1.15.1
>Reporter: Ankush Mittal
>Priority: Major
>  Labels: needsTriage
>
> As per [https://nvd.nist.gov/vuln/detail/CVE-2023-20861],
> "{_}In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE 
> - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user 
> to provide a specially crafted SpEL expression that may cause a 
> denial-of-service (DoS) condition.{_}"
>  
> Geode bundles version 5.3.20 which is vulnerable as per the CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)