[GHSA-g5h3-w546-pj7f] Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry

[quinzhi]

Updates

• Affected products
• References

Comments
Since MAY 19, 2023, the springs project fixed this CVE in 2.5.15 and 2.6.15

[darakian]

Hi @quinzhi, any chance you have a reference substantiating that claim of a fix? The two release pages you've added don't seem to mention the CVE by number

[quinzhi]

Hi @quinzhi, any chance you have a reference substantiating that claim of a fix? The two release pages you've added don't seem to mention the CVE by number

Hi @darakian , The release page of 2.7.11 and 3.0.6 did not mention the CVE number neither, But the #35085 from the release page of 2.7.11 and the #35086 from the release page of 3.0.6 mentioned the CVE number, and the #35411 from the release page of 2.5.15 is the Backport of 35085 to 2.5.x, so is the #35412 from 2.6.15.
Also, the reference from the original advisory-database page spring-boot-2-5-15-and-2-6-15-available-now claimed the fix.

[darakian]

Gotcha. Many thanks!

[advisory-database]

Hi @quinzhi! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!