Vulnerability - cve-2024-38819 - Version of spring framework used - File details
search cancel

Vulnerability - cve-2024-38819 - Version of spring framework used - File details

book

Article ID: 388348

calendar_today

Updated On:

Products

CA Identity Governance

Issue/Introduction

Under IG, we see the following Spring jar, which is associated with cve-2024-38819

/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/rcm/spring-core-3.2.10.RELEASE.jar
/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/src/wpPPCO/WEB-INF/lib/spring-core-4.0.7.RELEASE.jar
/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/src/wpWebframe/WEB-INF/lib/spring-core-4.0.7.RELEASE.jar
/opt/CA/jboss-eap-7.4/Workpoint/rcm/lib/spring-core-3.2.10.RELEASE.jar
/opt/CA/jboss-eap-7.4/standalone/deployments/eurekify.war/WEB-INF/lib/spring-core-3.2.10.RELEASE.jar

Will Identity Governance be affected?

Environment

Identity Governance 14.5 

Cause

Information

Resolution

For 

/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/rcm/spring-core-3.2.10.RELEASE.jar

/opt/CA/jboss-eap-7.4/Workpoint/rcm/lib/spring-core-3.2.10.RELEASE.jar

/opt/CA/jboss-eap-7.4/standalone/deployments/eurekify.war/WEB-INF/lib/spring-core-3.2.10.RELEASE.jar

The vulnerability exists only in case of using the  "static file routing using RouterFunction and FileSystemResource".
 
For 
 

/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/src/wpPPCO/WEB-INF/lib/spring-core-4.0.7.RELEASE.jar
/opt/CA/jboss-eap-7.4/Workpoint/WorkPointDesigner/src/wpWebframe/WEB-INF/lib/spring-core-4.0.7.RELEASE.jar

are examples SRC directory.  You can delete the entire SRC folder to address the affected jar.

Identity Governance is not affected by  cve-2024-38819

Additional Information

https://spring.io/security/cve-2024-38819

Powered by Wolken Software