Spring Framework CVE-2024-38819 and CVE-2024-38820 published

Releases | Brian Clozel | October 17, 2024 | ...

The Spring Framework has released version 6.1.14 that contains a fix for both:

  • CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report)
  • CVE-2024-38820: Spring Framework DataBinder case sensitive match exception

Note that open source support for Spring Framework 5.3.x and 6.0.x generations has ended last August, as announced previously. This fix has been applied to the 5.3.41 and 6.0.25 commercial releases, available now.

If you are not a commercial customer, please consider upgrading to an open source supported version at your earliest convenience.

Upgrading Your Project

Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can make use of Spring Boot Hotfix releases 2.7.22.2, 3.0.17.2, and 3.1.13.2. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all