0

This issue was brought up recently but there are no mention anywhere on how to fix it in older spring versions. (< 5.x) other than upgrade to latest Spring jar. Currently our web-app is using 4.1.5.

The article merely states Older, unsupported versions are also affected but no mention on how to fix those. Spring website doesn't mention a fix.

Upgrade to latest spring is not an option for now. If no other solutions to this problem, another approach will be to replace Spring MultipartFile with Apache Commons File Upload.

CVE 22970

Sunderam Dubey
  • 1
  • 11
  • 20
  • 40
yonikawa
  • 581
  • 1
  • 9
  • 32
  • *The article merely states `Older, unsupported versions are also affected` but no mention on how to fix those. Spring website doesn't mention a fix.* - that's what unsupported means. – tevemadar May 26 '22 at 15:19
  • I frankly don't have an answer, but "unsupported" means "we no longer maintain or give support to those" so while the developers may decide to backport a fix out of kindness, there's no guarantee they will, nor that they provide workarounds/fixes/instructions about them. So I'm afraid the general answer for these cases would be "find some good java dev that can try to understand how the issue affects your older version and try to backport a fix" – Federico klez Culloca May 26 '22 at 15:19
  • @FedericoklezCulloca - in that case switching to apache is the easiest option I guess. Thanks for the response. – yonikawa May 26 '22 at 15:52
  • @tevemadar - Sorry I didn't catch that part. lol. Recently there were other bugs identified and they did mention some fixes for older versions as well. Was expecting the same here too. – yonikawa May 26 '22 at 15:59

0 Answers0