Comment on the following spring framework vulnerabilities
Release : 12.0
Per our WCC sustaining eng. team WCC is not impacted by the below vulnerabilities
Vulnerability Details : CVE-2022-22971
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
- WCC doesn't use Stomp protocol or any websocket communication
Vulnerability Details : CVE-2022-22970
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
- WCC doesn't use databinding of model to html/jsp for a multipart or servlet part
If your security team will not allow an exception for the existance of the files at their current version then your option forward would be to upgrade to WCC 12.1 as that version of wcc ships with version 5.3.22 of the *spring* files in question.