BDSA-2024-5369 for springboot 3.4.0-M3 app

[patpatpat123]

Hello team,

We run daily security scan tools (blackduck, sonarqube, dependecy check, owasp etc)
They are all flagging this:

{
      "Related Vuln": "",
      "CVE ID": "BDSA-2024-5369",
      "Vulnerability Description": "Spring Framework contains an inefficient regular expression for its handling of Etags. If an application parses ETags from \"If-Match\" or \"If-None-Match\" request headers, a remote attacker could cause a denial-of-service (DoS).",
      "Package Name": "Spring Framework",
      "Package Version": "6.2.0-RC1",
      "Status": "NEW",
      "Vulnerability Published Date": "2024-08-15",
      "Upgrade-Guidance": {
         "Short-Term": "6.1.14",
         "Long-Term": "6.1.14"
      },

This is for a latest (as of this writing spring boot 3.4.0-M3 app.

Could you please help take a look at this, and fix the CVE?

Thank you for your kind help

[bclozel]

This looks like https://spring.io/security/cve-2024-38809 which is fixed already in 6.2 release candidates. In any case, pointing to a RC release as vulnerable doesn't make sense as it's not supported in production in the first place and we only publish advisories for GA versions.

I can't find any reference to BDSA-2024-5369 nor where this is metadata is declared and maintained. Can you point us to the source please?

[bclozel]

I'll assume this is a mistake in your vendor's metadata and I'll close this issue. Please reach out to your vendor for support.

Note, our public advisories are the reference data for Spring vulnerabilities.

[patpatpat123]

Hello @bclozel

Apologies to bump this ticket again.

We waited for 3.4 to be released to post again (again, apologies)

This time, I would like to attach the scan evidence:
Could you please confirm this is not an issue, and the issue is on Black Duck side?
We have an enterprise license with them, and we have already reached out to them to confirm.

[bclozel]

So this is in fact about https://spring.io/security/cve-2024-38809. The metadata on those screenshots looks fine to me.

Maybe confirm that your application doesn't depend on a vulnerable version first?

You can check the dependency version with Gradle:

./gradlew dependencyInsight --dependency org.springframework:spring-web --configuration runtimeClasspath

Or Maven:

./mvnw dependency:tree

If the resolved version is not vulnerable, there is probably a problem with the tool.

[patpatpat123]

Indeed @bclozel

[INFO] +- org.springframework.boot:spring-boot-starter-webflux:jar:3.4.0:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:3.4.0:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:3.4.0:compile
[INFO] |  |  |  \- org.springframework:spring-context:jar:6.2.0:compile
[INFO] |  |  |     +- org.springframework:spring-aop:jar:6.2.0:compile
[INFO] |  |  |     \- org.springframework:spring-expression:jar:6.2.0:compile

We will take it up with Black Duck.

Thank you again.