Spring Framework CVE-2024-38819 and CVE-2024-38820 published
The Spring Framework has released version 6.1.14 that contains a fix for both:
- CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report)
- CVE-2024-38820: Spring Framework DataBinder case sensitive match exception
Note that open source support for Spring Framework 5.3.x and 6.0.x generations has ended last August, as announced previously. This fix has been applied to the 5.3.41 and 6.0.25 commercial releases, available now.
If you are not a commercial customer, please consider upgrading to an open source supported version at your earliest convenience.